NFS security

[Chris Torek]

In article <8610 at swan.ulowell.edu> arosen at eagle.ulowell.edu (MFHorn) writes:
>An NFS server maps uid 0 from incoming RPC requests to 'nobody', which
>is configured into the kernel. ... The default setting for nobody is
>(in most implementaions) -2.

This mapping is almost useless.  If I am root on machine sneaky.edu,
and want to be anyone else on machine uptight.edu, all I have to do
is set my uid on sneaky.  Granted, I cannot do anything as uid 0 on
uptight, but I can do anything as anyone else.

>Also, if you don't export any filesystmes to a particular host, that
>host can do nothing to your host even if nobody is set to 0.

*snicker*

Actually, this almost works in some NFS implementations.  In old SunOSes
(I have no current ones so I have no idea if it has been fixed there),
all I have to do is cobble up a request packet that claims my hostname
is one to which you do export some file system, and your mount daemon
will believe me.  It does not even check the Internet address, just the
name I stuff in my request packet!

Even if you fix this, all I have to do is make up a suitable file handle.
That can be anywhere from trivial (passive spying will show some fine
handles) to somewhat hard.  What is needed is real authentication.

(SunOS 5.0 anyone? :-) ... actually, I understand Sun are working hard
on this one.)
-- 
In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7163)
Domain:	chris at mimsy.umd.edu	Path:	uunet!mimsy!chris