Re: NFS4 authentification / fsuid

From: Trond Myklebust
Date: Thu Aug 30 2007 - 11:04:18 EST

Next message: Takashi Iwai: "Re: [PATCH] snd_hda_intel for F/S T4210"
Previous message: Andreas Gruenbacher: "[FIX] mntput called before dput in afs"
In reply to: Jan Engelhardt: "Re: NFS4 authentification / fsuid"
Next in thread: J. Bruce Fields: "Re: NFS4 authentification / fsuid"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2007-08-30 at 16:42 +0200, Jan Engelhardt wrote:
> On Aug 30 2007 10:29, Trond Myklebust wrote:
> >On Thu, 2007-08-30 at 16:12 +0200, Jan Engelhardt wrote:
> >>
> >> with NFS3, there is this 'root hole', i.e. any person who has a root
> >> account (perhaps by use of a laptop) can mount an export (let's say this
> >> export had the "root_squash" option), and still have a look at the user
> >> files, because he can locally setuid() into another user.
> >>
> >> So I was looking for alternatives. CIFS is my favorite candidate, but it
> >> has a few issues right now. So does sshfs and about everything I have
> >> come across. Since I remember NFS4 can use KRB5 authentification, my
> >> question is, will the NFS(4) server process run with an fsuid equal to
> >> the user that authenticated?
> >
> >NFSv3 should work fine with krb5 too, but that won't solve your problem
> >with setuid: kerberos saves the TGT in a file on /tmp, so root can still
> >suid and grab your cred (and the same goes for CIFS).
>
> Hm? I do not see this problem with CIFS. The user may have local
> root, but on the server, he only has his non-root account on the
> server, and as such, can only operate on the server using this
> non-root fsuid.

With CIFS or other password based protocols (including RPCSEC_GSS) all
the root user needs in order to steal your identity is to grab a copy of
your password or a credential. It is not quite as trivial to do as
changing uid, but it is hardly rocket science if the compromised machine
is one that you log into regularly.

> Did I miss something? (Especially the /dev/mem thing
> is not quite clear to me.)
>
> >BTW: even when this task is done, a creative root can still find ways to
> >subvert the security (he can read /dev/mem, replace the kernel with a
> >compromised one, ....). The bottom line is that if you can't trust root,
> >don't even log in.

What I'm saying is that the superuser can pretty much do whatever it
takes to grab either your kerberos password (e.g. install a keyboard
listener), a stored credential (read the contents of your kerberos
on-disk credential cache), or s/he can access the cached contents of the
file by hunting through /dev/kmem.

IOW: There is no such thing as security on a root-compromised machine.

Trond

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Takashi Iwai: "Re: [PATCH] snd_hda_intel for F/S T4210"
Previous message: Andreas Gruenbacher: "[FIX] mntput called before dput in afs"
In reply to: Jan Engelhardt: "Re: NFS4 authentification / fsuid"
Next in thread: J. Bruce Fields: "Re: NFS4 authentification / fsuid"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]