NFS Security Problems - What are they? - Can they be fixed?

Jonathan I. Kamens jik at athena.mit.edu
Fri Dec 1 18:49:30 AEST 1989 

In article <4166 at cayman.COM> peter at cayman.UUCP (Peter Schmidt) writes:

>Does Kerberos do *all* authentication, or does it concern itself solely with
>logins?

  All Project Athena service that are in any way privileged are 
obtained only with kerberos authentication.  They included:

  * Reading and writing files.
  * Modifying group and mailing list contents.
  * Sending 'authentic' zephyr notification system messages to other
    users.
  * Remote login to other machines without passwords (the kerberos
    remote login protocol replaces .rhosts files)
  * Logging in as root on a fileserver or other service-providing
    machine (unless, of course, you know the root password and can
    therefore log in with traditional rlogin).
  * Changing your password.
  * Posting messages to the discuss conferencing system (our version
    of notes, you might say, although it wasn't originally written by
    Project Athena staff), and reading restricted discuss meetings.

And I've probably missed a few.

>I ask because I had all my files (including bachelor's thesis data)
>'rm -r'd by a cheesey little hacker (perjorative meaning here) from my dorm at
>MIT.  That was in the spring of 1988, in the Next House Athena Cluster.
>Looking at the tracks the custard-head left behind - from lastcomm and my
>.history (!) - it seems he used the following procedure:
>
>1) He noted that I was logged into a workstation remotely (not encouraged at
>Athena, but possible with the cooperation of someone at the console.  I had
>logged in on the console, enabled remote login, and gone to my lab, where I
>logged in remotely to run some trials.  Evidently, I was logged out of the
>console by someone soon after I left.)

  Why do you think that logging in to a workstation remotely is not
encouraged at Athena.  The security of kerberos depends on the
security of a user's kerberos tickets, which are obtained at login.
If I can log into a public workstation you're using, I can become root
and read your kerberos ticket file, which is stored locally and owned
by you.  Therefore, I can avail myself of all services available to
you, including access to your files, until the tickets expire (8 hours
from log in, by default, and they cannot be renewed without the
password that created them, which is not part of the tickets).

  ALL public athena workstations are "access off", meaning that remote
log in of any kind is not permitted, unless access is specifically
enabled by the person sitting at the console.  Once you defeat that on
a workstation with a public root password, there is no longer any
security.  That is why Athena doesn't "encourage" remote logins.

>2) He su'd to root with the 'mrroot' password.
>3) He su'd *to me*.
>4) He typed 'rm *', and when this didn't accomplish his goal, he did a 'man
>rm'.  (I'd be laughing now, but it still makes me mad.)
>5) He typed 'rm -r *', did an 'ls' to check his success, and then typed
>'logout'. 
>6) He typed 'exit', and logged out of the workstation.

  In order to understand why this was possible, you have to understand
some more in addition to the idea of kerberos tickets described above.

  Kerberized NFS does *not* resend authentication information with
each NFS request.  Instead, when you log in on a particular
workstation and obtain kerberos tickets as part of the log in
procedure, the following happens:

1. Your workstation makes a mount request to the fileserver on which
   your files are stored, and mounts that filesystem.  No
   authentication yet, so you can't read the files at this point.
2. Your workstation makes a mapping request to the rpc mount daemon
   running on the fileserver.  This request includes (encrypted in a
   manner only the server can decrypt) the information necessary to
   prove to the server that you are who you say you are.
3. When the server receives this information and verifies its
   validity, it establishes a mapping in its authentication database
   between your UID at your workstation and your UID on the fileserver
   (usually the same thing, but doesn't have to be) and the various
   groups you are supposed to be in.

   NOTE: It is important to realize that this mapping is based on two
   different things: Your UID, and your location.  If somebody with
   your UID tries to write to that fileserver from a different host
   without authenticating, it won't work.  It someone logs in as
   someone else on your workstation and tries to write to your files,
   it won't work.

So, during your login session, you are "mapped" to your fileserver.
When you log out, the mappings are *not* immediately removed; instead,
the workstation waits until its five minute deactivate cycle before
removing the mappings.  The time period between when you walk way from
the workstation and when it actually deactivates could give someone
enough time to login to the workstation, su to root, su to you, and
use your mapping to read from/write to your files.  The solution to
this is that people who are worried (read paranoid) about security put
the unmapping commands in their .logout files and watch them execute
before they'll leave the workstation.

  Now, as for what happened in your particular case.  You were logged
into the workstation and working away, so your mappings to your
fileserver were alive and well.  When the guy who blew away your files
logged in and su'd to you, he met the two necessary criteria to have
access to your files.... the right UID at the right location.

>Note that the success of this attack hinged on step 3, and this is where my
>question comes from.  When I examined the /etc/passwd on the machine, I found
>my complete entry had been downloaded.  I assumed at the time (someone from
>Athena feel free to elucidate) that Kerberos downloads the /etc/passwd entry
>at login time, so that it won't have to be bothered with authentication
>requests from 'su's, and so that code that expects to find data in
>/etc/passwd doesn't break.  I find this to be a rather large hole for a system
>that touts its security.  And note that the attacker was not particularly
>smart - his grasp of Unix didn't extend much beyond 'rm', 'ls' and 'su'.

  The /etc/passwd entry has nothing to do with authentication.  It is
inserted because Unix counts very heavily on each user having an entry
in the /etc/passwd file.  Your encrypted password is inserted into the
passwd entry because many programs use the /etc/passwd file for local
authentication (i.e. "lock" and its X counterparts).  The passwd entry
had nothing to do with the a**hole in question's ability to
impersonate you.  The fact that you were logged in with mappings in
such a way that someone else could log in on the same machine and su
to your UID is what made that possible.

  The "short story summary" of all this is that machines that allow
multiple users must be secure in the traditional unix sense in order
for Kerberos authentication from that machine to remain secure as
well.  Machines that only allow one user at a time do not need to have
a secure root and UID namespace.

Jonathan Kamens			              USnail:
MIT Project Athena				11 Ashford Terrace
jik at Athena.MIT.EDU				Allston, MA  02134
Office: 617-253-8495			      Home: 617-782-0710

More information about the Comp.unix.wizards mailing list