| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 30 Aug 2007 11:04:00 -0400 From: Trond Myklebust <trond.myklebust@....uio.no> To: Jan Engelhardt <jengelh@...putergmbh.de> Cc: Linux Kernel Mailing List <linux-kernel@...r.kernel.org> Subject: Re: NFS4 authentification / fsuid On Thu, 2007-08-30 at 16:42 +0200, Jan Engelhardt wrote: > On Aug 30 2007 10:29, Trond Myklebust wrote: > >On Thu, 2007-08-30 at 16:12 +0200, Jan Engelhardt wrote: > >> > >> with NFS3, there is this 'root hole', i.e. any person who has a root > >> account (perhaps by use of a laptop) can mount an export (let's say this > >> export had the "root_squash" option), and still have a look at the user > >> files, because he can locally setuid() into another user. > >> > >> So I was looking for alternatives. CIFS is my favorite candidate, but it > >> has a few issues right now. So does sshfs and about everything I have > >> come across. Since I remember NFS4 can use KRB5 authentification, my > >> question is, will the NFS(4) server process run with an fsuid equal to > >> the user that authenticated? > > > >NFSv3 should work fine with krb5 too, but that won't solve your problem > >with setuid: kerberos saves the TGT in a file on /tmp, so root can still > >suid and grab your cred (and the same goes for CIFS). > > Hm? I do not see this problem with CIFS. The user may have local > root, but on the server, he only has his non-root account on the > server, and as such, can only operate on the server using this > non-root fsuid. With CIFS or other password based protocols (including RPCSEC_GSS) all the root user needs in order to steal your identity is to grab a copy of your password or a credential. It is not quite as trivial to do as changing uid, but it is hardly rocket science if the compromised machine is one that you log into regularly. > Did I miss something? (Especially the /dev/mem thing > is not quite clear to me.) > > >BTW: even when this task is done, a creative root can still find ways to > >subvert the security (he can read /dev/mem, replace the kernel with a > >compromised one, ....). The bottom line is that if you can't trust root, > >don't even log in. What I'm saying is that the superuser can pretty much do whatever it takes to grab either your kerberos password (e.g. install a keyboard listener), a stored credential (read the contents of your kerberos on-disk credential cache), or s/he can access the cached contents of the file by hunting through /dev/kmem. IOW: There is no such thing as security on a root-compromised machine. Trond - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists