Re: UID/GID mapping system

[Andreas Dilger]

On Mar 10, 2004  15:41 -0600, Jesse Pollard wrote:
> On Wednesday 10 March 2004 11:58, Søren Hansen wrote:
> > The server can't trust the client as it is now anyway. The client can do
> > whatever it wants already. There is no security impact as I see it.
> 
> First, if the server refuses to map uids into what it considers system 
> (say, those less than 100... or better, 1000) then the daemons that may be
> using those uids/gids on the server (or other hosts even) will be
> protected from a simple mapping attack. Any attempt to do so will be detected
> by the server, blocked, and reported.
> 
> Second, if the various organizations are mapped, then only maps (and 
> uids/gids) authorized by those maps can be used. Any hanky panky on the
> client host will ONLY involve those accounts/uids already on the client. They
> will NOT be able to map to accounts/uids that are assigned to the other
> organization. Again, attempts to access improper accounts will be detected
> by the server, blocked,  and reported.

I agree with Søren on this.  If the client is compromised such that the
attacker can manipulate the maps (i.e. root) then there is no reason why
the attacker can't just "su" to any UID it wants (regardless of mapping)
and NFS is none-the-wiser.

If the client is trusted to mount NFS, then it is also trusted enough not
to use the wrong UID.  There is no "more" or "less" safe in this regard.

Cheers, Andreas
--
Andreas Dilger
http://sourceforge.net/projects/ext2resize/
http://www-mddsp.enel.ucalgary.ca/People/adilger/

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/