[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1188486240.6755.51.camel@heimdal.trondhjem.org>
Date: Thu, 30 Aug 2007 11:04:00 -0400
From: Trond Myklebust <trond.myklebust@....uio.no>
To: Jan Engelhardt <jengelh@...putergmbh.de>
Cc: Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: NFS4 authentification / fsuid
On Thu, 2007-08-30 at 16:42 +0200, Jan Engelhardt wrote:
> On Aug 30 2007 10:29, Trond Myklebust wrote:
> >On Thu, 2007-08-30 at 16:12 +0200, Jan Engelhardt wrote:
> >>
> >> with NFS3, there is this 'root hole', i.e. any person who has a root
> >> account (perhaps by use of a laptop) can mount an export (let's say this
> >> export had the "root_squash" option), and still have a look at the user
> >> files, because he can locally setuid() into another user.
> >>
> >> So I was looking for alternatives. CIFS is my favorite candidate, but it
> >> has a few issues right now. So does sshfs and about everything I have
> >> come across. Since I remember NFS4 can use KRB5 authentification, my
> >> question is, will the NFS(4) server process run with an fsuid equal to
> >> the user that authenticated?
> >
> >NFSv3 should work fine with krb5 too, but that won't solve your problem
> >with setuid: kerberos saves the TGT in a file on /tmp, so root can still
> >suid and grab your cred (and the same goes for CIFS).
>
> Hm? I do not see this problem with CIFS. The user may have local
> root, but on the server, he only has his non-root account on the
> server, and as such, can only operate on the server using this
> non-root fsuid.
With CIFS or other password based protocols (including RPCSEC_GSS) all
the root user needs in order to steal your identity is to grab a copy of
your password or a credential. It is not quite as trivial to do as
changing uid, but it is hardly rocket science if the compromised machine
is one that you log into regularly.
> Did I miss something? (Especially the /dev/mem thing
> is not quite clear to me.)
>
> >BTW: even when this task is done, a creative root can still find ways to
> >subvert the security (he can read /dev/mem, replace the kernel with a
> >compromised one, ....). The bottom line is that if you can't trust root,
> >don't even log in.
What I'm saying is that the superuser can pretty much do whatever it
takes to grab either your kerberos password (e.g. install a keyboard
listener), a stored credential (read the contents of your kerberos
on-disk credential cache), or s/he can access the cached contents of the
file by hunting through /dev/kmem.
IOW: There is no such thing as security on a root-compromised machine.
Trond
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists