NFS security

Guy Harris guy at gorodish.Sun.COM
Thu Sep 8 05:09:46 AEST 1988 

> The way I interpreted the comment that Guy is responding to was, "on
> all versions of SunOS without NFS, mknod does not have a problem, and
> since (as desribed in a previous article) there is a problem with
> mknod on systems with NFS, it is an NFS problem".  Given this
> interpretation the reasoning doesn't seem so silly.

Considering he didn't try it on any 1.x releases, and therefore didn't try it
on any versions without NFS, it is difficult to see how the comment could be
interpreted in that fashion.  (In fact, he didn't try it on 3.0; 3.0 *did* have
NFS, but I suspect it didn't have this problem, because I don't think it
allowed "mknod"s over the wire.)

Furthermore, the problem occurs when you succeed in doing a "mknod" system
call, and you can only do so when you are running as root; he didn't try
running "mknod" as root, because the message in question only comes out when
you're *not* root.

The message from the "mknod" command has nothing to do with any attempt to
close the security hole in question:

	1) putting a check into the "mknod" command doesn't close the hole, it
	   only narrows it slightly, since anybody who can build a program at
	   all (i.e., has access to the requisite tools and knows enough e.g.
	   C) can build a program that calls "mknod"

and

	2) the check in the "mknod" command merely duplicates the check
	   performed by the "mknod" system call, for reasons unknown to me.

The correct fix is to make UNIX NFS servers refuse to create special files
other than FIFOs if the credentials *after* any UID mapping is performed don't
say the user is root.  The best way to do this on a kernel with the VFS
mechanism would be to change the UFS or System V file system "create" vnode
operation to check the credentials it's handed, and refuse to do the operation
(returning EPERM) if they don't say the user is root.  (The check in the
"mknod" call itself could then be removed, as it would be redundant at best and
incorrect at worst - somebody might actually not want to require a process to
be running as super-user in order to make non-FIFO "mknod"s on their particular
file system type.)

I've submitted a bug report on this.

> My only information regarding this feature in SunOS 4.0 is a brief
> mention in the 4.0 release notes, so I may have mis-interpreted it.
> No doubt someone will correct me if I have.

No, it should be correct; if you do not specify that "/dev/console" is "secure"
in "/etc/ttytab", it should require you to give a password before going
single-user.  (I haven't tried it, so I don't know whether there are any
problems.)

More information about the Comp.unix.wizards mailing list