SUMMARY: patches for NFS uid,mknod bugs, portmap proxy bug?

From: Chris Metcalf (metcalf@catfish.LCS.MIT.EDU)
Date: Fri Feb 17 1995 - 17:32:07 CST


Last week I asked about fixes for various NFS bugs. Many thanks to the
people who replied, in particular Casper Dik, who deserves a great deal
of credit for his ongoing role as a patient answerer of Sun questions
in this and other forums.

> - NFS file handles can often be guessed, thus avoiding mountd
> completely and allowing direct access via the nfsd's

As I mentioned, this is handled by applying 100623-03 to a 4.1.2 or 4.1.3
system, or upgrading to 4.1.3_U1, and rerunning the new fsirand binary
on all your file systems. Note that this will cause all NFS clients to
have to remount the filesystems.

> - portmap will give away NFS mounts via proxy if the target host
> lists itself in exports (e.g. as part of a site-wide netgroup)

One way to deal with this is to remove the -n flag to rpc.mountd;
another, as I mentioned, is Wietse Venema's portmap replacement.
In either case, you should also set the kernel nfs_portmon flag to "1" to
prevent unprivileged clients from talking to the NFS daemons. Note that
both of these actions are normally conditional in /etc/rc.local on the
presence of /etc/security/passwd.adjunct, but you can simply comment
out the lines of the conditional to get the safer behavior.

I mentioned that Venema's portmap had not been too stable for us.
However, we haven't had any further problems after an initial flurry.
Perhaps it was a configuration issue.

> - NFS requests with the low 16 bits of the UID = 0 and the high 16
> bits != 0 are mapped to root
> - users can use NFS create requests to make arbitrary device
> special files

These are both apparently fixed in 4.1.3_U1, which we are now
upgrading to. If you haven't before, you may also want to look at
ftp://sunsolve1.sun.com/pub/patches/patches.html, which provides access
to Sun's set of "recommended" patches for various releases, as well as
the patches themselves.

If anyone else is interested in the "nfsbug" tester to find and report
weak spots in NFS, it is at

  ftp://cag.lcs.mit.edu/pub/metcalf/nfsbug.tar.gz

                        Chris Metcalf, MIT Laboratory for Computer Science
                        metcalf@cag.lcs.mit.edu // +1 (617) 253-7766



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:16 CDT