DragonFly BSD
DragonFly bugs List (threaded) for 2005-10
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

nfs permission escalation?

From: "Simon 'corecode' Schubert" <corecode@xxxxxxxxxxxx>
Date: Sat, 08 Oct 2005 02:26:08 +0200


I just experienced the following:

server# echo '/mnt -ro' >> /etc/exports && /etc/rc.d/mountd reload
Reloading mountd config files.

server% cd /mnt && mkdir foo && chmod 500 foo
server% cp /bin/echo foo && chmod 555 foo/echo

client# mount -t nfs server:/mnt /mnt
client# /mnt/echo foo
echo: permission denied

client% /mnt/echo foo

client# /mnt/echo foo

A directory on the server is only r-x------, the mount is exported with default settings (=rootsquash). Root on the client can't execute a binary from this directory.

Everything fine till here. Now I run the binary as the user on the client: I am allowed to run it. Still fine.

Now if I try to run it as root (again), it suddenly works. I guess that our namecache isn't aware of the rootsquashing and thus grants access to the cached vnode.

Hope I explained this bug correctly :)


Serve - BSD     +++  RENT this banner advert  +++    ASCII Ribbon   /"\
Work - Mac      +++  space for low $$$ NOW!1  +++      Campaign     \ /
Party Enjoy Relax   |   http://dragonflybsd.org      Against  HTML   \
Dude 2c 2 the max   !   http://golden-apple.biz       Mail + News   / \

[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]