Hi all,
I used to run a linux file server, with nfsV2 and knfsd.
Several file systems are exported no_root_squash to a few
trusted machines (all linux) in a cluster.
With nfsV2, nfsd responded to a request according to the
file/directory permissions, and according to the euid/egid of the
requesting process. For example, ftpd runs with ruid=0, and with
euid=<ftp_user_uid>. When ftpd wanted to access a file in an nfs-mounted
volume, the request was processed by nfsd according to ftpd euid/egid.
I have upgraded to an SGI kernel with nfsV3. And I was horrified in
discovering a few days later that nfsd responded to
ftpd requests according to ftpd ruid/rgid. This means that a user
making an ftp to an nfs-mounted volume can get files with root
privileges !!! If the mounted filesystem is /home, any user can
ftp ~/.ssh/identity ...
If I export root_squash, things go back in order and the system
security is maintained. But I can no longer perform root operations on
the nfs mounted volumes, which is not comfortable for the cluster management.
I have performed several other tests :
- compare kernel 2.2.15-3SGI_32 and 2.2.15-3SGI_13 : same behaviour.
- compare 2.2.15-3SGI_32 and HJ Lu's 2.2.16-8.ext3.4 : same behaviour.
2.2.15-3SGI_32 behaves safely if I mount -o vers=2 and export no_root_squash.
The problem is clearly related to nfsV3.
Now my question : is it in the nfsV3 spec, or is it a bug in the
implementation ? or something I have not understood ?
thanks for your help.
--
***********************
Jean-Louis Monge tel. (33.1)69 33 45 35
CNRS/LMD fax. (33.1)69 33 30 05
Ecole Polytechnique
91128 Palaiseau Cedex monge@xxxxxxxxxxxxxxxxxxxx
FRANCE
|