Package: nfs-common Version: 1:1.3.4-2.5 Severity: grave Tags: security Justification: user security hole
I have an NFS client and server both running Debian. I recently upgraded them both to buster. I discovered today that the regular process umask has been ignored on my nfs mounts since the upgrade, and all files and directories are being created a+rw. On the client, the fstab fstype is nfs4 and the mount options are hard,intr,bg,noatime. The relevant datasets are exported rw,no_root_squash,no_subtree_check from the server. In researching this, I stumbled across https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1779736 and https://bugzilla.redhat.com/show_bug.cgi?id=1667761 which indicate the problem is present elsewhere as well. Adding vers=4.1 to my client's mount options completely resolved the problem. (Though now I have a couple weeks' worth of files with unintentionally open permissions to wade through.) I tagged this as security and grave because it opens up quite a few scenarios for users to receive privileges they shouldn't, and for other potential mischief (placing malicious executables in world-writable directories, etc). The server is indeed running zfs with its default acltype setting (off). As the Ubuntu bug report shows, mounting with noacl doesn't resolve the behavior either. The RedHat bug occurred with an OpenWRT server, unlikely to be running zfs. I do not believe this bug should be pinned down to ZFS; a filesystem not supporting ACLs should not result in umask 0 for all clients in any scenario. -- Package-specific info: -- rpcinfo -- program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper -- /etc/default/nfs-common -- NEED_STATD= STATDOPTS= NEED_IDMAPD= NEED_GSSD= -- /etc/idmapd.conf -- [General] Verbosity = 0 Pipefs-Directory = /run/rpc_pipefs [Mapping] Nobody-User = nobody Nobody-Group = nogroup -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages nfs-common depends on: ii adduser 3.118 ii keyutils 1.6-6 ii libc6 2.28-10 ii libcap2 1:2.25-2 ii libcom-err2 1.44.5-1 ii libdevmapper1.02.1 2:1.02.155-3 ii libevent-2.1-6 2.1.8-stable-4 ii libgssapi-krb5-2 1.17-3 ii libk5crypto3 1.17-3 ii libkeyutils1 1.6-6 ii libkrb5-3 1.17-3 ii libmount1 2.33.1-0.1 ii libnfsidmap2 0.25-5.1 ii libtirpc3 1.1.4-0.4 ii libwrap0 7.6.q-28 ii lsb-base 10.2019051400 ii rpcbind 1.2.5-0.3 ii ucf 3.0038+nmu1 Versions of packages nfs-common recommends: ii python 2.7.16-1 Versions of packages nfs-common suggests: pn open-iscsi <none> pn watchdog <none> -- no debconf information