Package: nfs-kernel-server Version: 1:1.0.6-3.1 Severity: critical Justification: root security hole
NFS uses root_squash by default, in part (mainly?) so as to make it more difficult to create a setuid-root file in a writable export: protect the exporting server from a compromise of the mounting client. With Debian policy, group staff is root-equivalent: an evil client could create a setgid-staff file, and with that trojanize /usr/local/bin (drop a suitable ls or xterm or bash file). There is a warning in "man exports" against other sensitive UIDs, but not against sensitive GIDs. There are no sensitive UIDs on a default Debian installation, but there is a sensitive GID mandated by policy; there is no default or easy gid_squash on NFS exports. The intended security benefit of root_squash is defeated. (This is not really a bug in NFS, but a result of broken policy; maybe NFS could document the issue, or help change policy.) Please see also bug#299007 http://bugs.debian.org/299007 . Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-spm1.5 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages nfs-kernel-server depends on: ii debconf 1.4.30.13 Debian configuration management sy ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra ii nfs-common 1:1.0.6-3.1 NFS support files common to client ii sysvinit 2.86.ds1-1 System-V like init -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
