retitle 384922 please support NFS squashing multiple groups
reassign 384922 linux-2.6.16
thanks
On Wed, Aug 30, 2006 at 10:31:57AM +1000, Paul Szabo wrote:
Are you saying that mountd might be happy to squash gid=staff, but the
kernel would not understand such a request?
Yes. Or rather, there
retitle 384922 NFS insecure without support for squashing multiple groups
tags 384922 security
severity 384922 critical
thanks
Dear Steinar,
... You may want to actually talk to the NFS kernel server people ...
Huh? I thought that is what have I been doing until now! (Oops, my mistake,
package
On Mon, Aug 28, 2006 at 08:39:41AM +1000, Paul Szabo wrote:
There is a warning in man exports against other sensitive UIDs, but
not against sensitive GIDs. There are no sensitive UIDs on a default
Debian installation, but there is a sensitive GID mandated by policy;
there is no default or easy
On Wed, Aug 30, 2006 at 08:12:45AM +1000, Paul Szabo wrote:
... this is the wrong package. nfs-utils doesn't do any of the squashing ...
I submitted the bug against nfs-kernel-server. I do not understand why you
think nfs-utils is involved.
nfs-kernel-server is part of nfs-utils. Again:
Dear Steinar,
... this is the wrong package. nfs-utils doesn't do any of the squashing ...
I submitted the bug against nfs-kernel-server. I do not understand why you
think nfs-utils is involved.
I'm not sure how you think this is supposed to be solved ...
Sensible people would fix the
On Wed, Aug 30, 2006 at 09:19:37AM +1000, Paul Szabo wrote:
One of us is confused.
Given that one of us has been co-maintaining nfs-utils for a while, I think I
might have an idea :-)
Squash is set in /etc/exports, I think /etc/exports is used by mountd;
surely it is all done here?
mountd
Dear Steinar,
nfs-kernel-server is part of nfs-utils. Again: nfs-utils only contains the
userspace part, which has no say in this.
One of us is confused. Checking:
$ dpkg -I nfs-kernel-server_1.0.6-3.1_i386.deb
...
Description: Kernel NFS server support
...
$ dpkg -c
Dear Steinar,
... I think I might have an idea :-)
Good.
Note that nfs-utils _has_ code in place for parsing gid lists and the like;
you can even specify squash_gids=. However, it is not documented for a simple
reason: it _does not work_, since the kernel exports no such interface.
Are you
Package: nfs-kernel-server
Version: 1:1.0.6-3.1
Severity: critical
Justification: root security hole
NFS uses root_squash by default, in part (mainly?) so as to make it more
difficult to create a setuid-root file in a writable export: protect the
exporting server from a compromise of the
Please see also
http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/049079.html
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject
10 matches
Mail list logo
