Re: NFS mount by non-root

Douglas Maus Sat, 28 Apr 2007 19:04:02 -0700

Following up on my post:
> Is it possible for users (non-root) to mount NFS exports?
> I seem to be able to mount_nfs using sudo, but not as a regular user.


Some respondents suggested that the problem lies with the port that the
mount_nfs command uses, focusing on the statement in the man pages
 (man mount_nfs)
 HISTORY
     The -P flag historically informed the kernel to use a reserved port when
     communicating with clients.  In OpenBSD, a reserved port is always used.

I think this is somewhat misleading, and below I include tcpdump of mount_nfs
to demonstrate.
(I would appreciate constructive comments, because I do want to learn about
this stuff - and of course I want to know if non-root nfs mounts are possible.)
Please (nicely) correct me if I'm wrong:

mount (the client process/application/command, whatever you want to call it)
opens a client-port, which connects first to server port 111, the portmap 
service
to request the port for mountd. The portmap service replies with the port number
for mountd, say xxx.
mount(client) then opens (another?) port to connect to server port xxx, to 
contact the
mountd server daemon. On many systems, and certainly OpenBSD by default, server
mountd checks whether this request has come from a reserved port on the client.
If not, the request is denied.
Two strategies around this check exist.
Client: On many systems, by invoking the mount command with the option -P the 
client
mount will try to use a reserved client machine port. OpenBSD client mount 
command
does not respect this option, and in particular, a non-root user invoking mount
will result in the client mount request coming from a non-reserved port.
Server: On many systems, server mountd can optionally not perform this check.
On OpenBSD in particular, starting mountd with the option -n will turn off this 
check.

So, to say in the man page for mount (the client program) that "a reserved port 
is always
used" is not quite true. A non-root user invoking mount WILL result in the 
mount (client)
request coming from a non-reserved port from the client (OpenBSD) machine.
By default on OpenBSD, that mountd (server) daemon will check that client 
requests come
from a reserved port is true, but can be overridden by using the -n option to 
start mountd.


tcpdumps below

# rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100005    1   udp    848  mountd
    100005    3   udp    848  mountd
    100005    1   tcp    961  mountd
    100005    3   tcp    961  mountd
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs


# tcpdump -v -ni lo0


 (from another shell)
  $sudo mount_nfs 10.0.1.201:/home/sysmgr ~/private/mnt 

20:48:35.674040 10.0.1.201.826 > 10.0.1.201.111: [udp sum ok] udp 56 (ttl 64, 
id 62407, len 84)
20:48:35.674113 10.0.1.201.111 > 10.0.1.201.826: [udp sum ok] udp 28 (ttl 64, 
id 63683, len 56)
20:48:35.674215 10.0.1.201.682 > 10.0.1.201.111: [udp sum ok] udp 56 (ttl 64, 
id 50014, len 84)
20:48:35.674261 10.0.1.201.111 > 10.0.1.201.682: [udp sum ok] udp 28 (ttl 64, 
id 59961, len 56)
20:48:35.674327 10.0.1.201.986 > 10.0.1.201.848: udp 124 (ttl 64, id 36485, len 
152)
20:48:35.674434 10.0.1.201.848 > 10.0.1.201.986: udp 68 (ttl 64, id 61671, len 
96)
20:48:35.674757 10.0.1.201.613 > 10.0.1.201.2049: xid 0x3548e106 92 fsinfo 
[|nfs] (ttl 64, id 51588, len 120)
20:48:35.674859 10.0.1.201.2049 > 10.0.1.201.613: xid 0x3548e106 reply ok 164 
fsinfo POST: DIR 755 ids 1000/1000 sz 0x200 [|nfs] (ttl 64, id 48954, len 192)
20:48:35.674905 10.0.1.201.613 > 10.0.1.201.2049: xid 0x3548e1f6 92 fsstat 
[|nfs] (ttl 64, id 46857, len 120)
20:48:35.674954 10.0.1.201.2049 > 10.0.1.201.613: xid 0x3548e1f6 reply ok 168 
fsstat POST: DIR 755 ids 1000/1000 sz 0x200 [|nfs] (ttl 64, id 62434, len 196)
20:48:35.675466 127.0.0.1.16808 > 127.0.0.1.53: [udp sum ok] 36508+ PTR? 
201.1.0.10.in-addr.arpa. (41) (ttl 64, id 33432, len 69)
20:48:35.675716 127.0.0.1.53 > 127.0.0.1.16808: 36508* 1/1/0 
201.1.0.10.in-addr.arpa. PTR[|domain] (ttl 64, id 48617, len 123)

 succeeds, client port 986 connects to server mountd on port 848


 $sudo umount ~/private/mnt

20:49:21.053800 10.0.1.201.937 > 10.0.1.201.111: [udp sum ok] udp 56 (ttl 64, 
id 48732, len 84)
20:49:21.053911 10.0.1.201.111 > 10.0.1.201.937: [udp sum ok] udp 28 (ttl 64, 
id 45008, len 56)
20:49:21.054180 10.0.1.201.872 > 10.0.1.201.848: udp 124 (ttl 64, id 36036, len 
152)
20:49:21.054628 10.0.1.201.848 > 10.0.1.201.872: [udp sum ok] udp 24 (ttl 64, 
id 63817, len 52)
20:49:21.055301 127.0.0.1.39601 > 127.0.0.1.53: [udp sum ok] 59666+ PTR? 
201.1.0.10.in-addr.arpa. (41) (ttl 64, id 57481, len 69)
20:49:21.111444 127.0.0.1.53 > 127.0.0.1.39601: 59666* 1/1/0 
201.1.0.10.in-addr.arpa. PTR[|domain] (ttl 64, id 43474, len 123)


 (as regular user sysmgr)
 $mount_nfs 10.0.1.201:/home/sysmgr ~/private/mnt

20:51:01.214015 10.0.1.201.8020 > 10.0.1.201.111: [udp sum ok] udp 56 (ttl 64, 
id 4930, len 84)
20:51:01.214069 10.0.1.201.111 > 10.0.1.201.8020: [udp sum ok] udp 28 (ttl 64, 
id 11732, len 56)
20:51:01.214165 10.0.1.201.6237 > 10.0.1.201.111: [udp sum ok] udp 56 (ttl 64, 
id 24342, len 84)
20:51:01.214198 10.0.1.201.111 > 10.0.1.201.6237: [udp sum ok] udp 28 (ttl 64, 
id 29885, len 56)
20:51:01.214279 10.0.1.201.31435 > 10.0.1.201.848: udp 112 (ttl 64, id 28369, 
len 140)
20:51:01.214553 10.0.1.201.848 > 10.0.1.201.31435: [udp sum ok] udp 20 (ttl 64, 
id 7885, len 48)

   fails with
  mount_nfs: bad MNT RPC: RPC: Authentication error; why = Client credential 
too weak
   comes from client port 31435 to server mountd service on port 848


 restart mountd with -n option
# rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100005    1   udp    711  mountd
    100005    3   udp    711  mountd
    100005    1   tcp    665  mountd
    100005    3   tcp    665  mountd
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs


 (as regular user sysmgr)
 $mount_nfs 10.0.1.201:/home/sysmgr ~/private/mnt
  
20:56:16.059107 10.0.1.201.32114 > 10.0.1.201.111: [udp sum ok] udp 56 (ttl 64, 
id 34196, len 84)
20:56:16.059169 10.0.1.201.111 > 10.0.1.201.32114: [udp sum ok] udp 28 (ttl 64, 
id 62039, len 56)
20:56:16.059276 10.0.1.201.34110 > 10.0.1.201.111: [udp sum ok] udp 56 (ttl 64, 
id 34948, len 84)
20:56:16.059314 10.0.1.201.111 > 10.0.1.201.34110: [udp sum ok] udp 28 (ttl 64, 
id 36397, len 56)
20:56:16.059383 10.0.1.201.35725 > 10.0.1.201.711: udp 112 (ttl 64, id 42521, 
len 140)
20:56:16.059488 10.0.1.201.711 > 10.0.1.201.35725: udp 68 (ttl 64, id 54067, 
len 96)
20:56:16.060059 127.0.0.1.1940 > 127.0.0.1.53: [udp sum ok] 37677+ PTR? 
201.1.0.10.in-addr.arpa. (41) (ttl 64, id 36697, len 69)
20:56:16.060224 127.0.0.1.53 > 127.0.0.1.1940: 37677* 1/1/0 
201.1.0.10.in-addr.arpa. PTR[|domain] (ttl 64, id 46542, len 123)

 mountd does not perform port check, client port is 35725 connecting to server 
mountd at port 711

 but mountd fails with
  mount_nfs: /home/sysmgr/private/mnt: Permission denied
 which is now another problem for a new thread, I suppose

Re: NFS mount by non-root

Reply via email to