Re: UID/GID mapping system

From: Andreas Dilger
Date: Mon Mar 15 2004 - 12:50:12 EST

On Mar 11, 2004 08:08 -0600, Jesse Pollard wrote:
> On Wednesday 10 March 2004 17:46, Andreas Dilger wrote:
> > I agree with Søren on this. If the client is compromised such that the
> > attacker can manipulate the maps (i.e. root) then there is no reason why
> > the attacker can't just "su" to any UID it wants (regardless of mapping)
> > and NFS is none-the-wiser.
> Absolutely true. The attacker can do the "su" to any uid. Which is why the
> server must be the one to provide the mapping service. The server does not
> have to accept the UID unless it is one of the entries in the authorized map.

But this is true whether the client is mapping the UIDs or not. The server
wouldn't know whether the client is mapping UIDs or not, so it shouldn't trust
UIDs from a client that isn't supposed to be using that UID.

> This isolates the penetration to only the accounts authorized to the
> penetrated host.

Still true regardless of client-side UID mapping.

> And even root can be blocked from access to the server - in fact, root
> could be mapped to any uid by the server (say for the purpose of remote
> configuration files). The penetrated client can only access accounts that
> were authorized by the server map.

Still true regardless of client-side UID mapping.

> > If the client is trusted to mount NFS, then it is also trusted enough not
> > to use the wrong UID. There is no "more" or "less" safe in this regard.
> It is only trusted to not misuse the uids that are mapped for that client. If
> the client DOES misuse the uids, then only those mapped uids will be affected.
> UIDS that are not mapped for that host will be protected.

Still true regardless of client-side UID mapping.

> It is to ISOLATE the penetration to the host that this is done. The server
> will not and should not extend trust to any uid not authorized to that host.

Still true regardless of client-side UID mapping.

Maybe you are confusing some term "mapping" that you understand for the
server-side (related to allowing only certain UIDs for a particular host?)
with an unrelated operation of the same name that Søren is proposing
(which is just a simple uid->uid translation)?

Cheers, Andreas
Andreas Dilger

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at