*** This bug is a security vulnerability ***
Public security bug reported:
I've observed this bug on Ubuntu Precise (beta) and Oneiric, and also on Debian
Squeeze and Debian Testing.
(Kernel versions 2.6.32, 3.0.0 and 3.2.0)
I've found numerous forum posts around the internet from confused users, but no
solutions.
The bug in question involves using nfs v4 with the idmapd, with users with the
same username but differing uids across the client and server. The idmapping
appears to have worked, until you try to write to the directories, at which
point it skips the idmapping.
This is a security issue as it will allow users to access files owned by other
users unexpectedly.
When listing files or directories on the client, the directories show up
as owned by your local user, however attempting to write will result in
a Permission Denied error. If you go back to the server and chown the
directory to be owned by the uid used on the client, then the client
will see the directory as owned by the incorrect user -- but WILL be
able to write to it!
The log files for idmapd on both client and server appear to indicate
that things are working correctly. eg:
Server's syslog: rpc.idmapd[777]: Server : (user) id "2012" -> name
"postie@localdomain"
Client's syslog: rpc.idmapd[870]: Client 0: (user) name "postie@localdomain" ->
id "2014"
Running commands on the client:
$ getent passwd postie
postie:x:2014:2014::/home/postie:/bin/bash
$ cd /srv/test
$ ls -l
drwxr-xr-x 2 postie root 4096 Mar 28 11:48 postie
$ ls -ln
drwxr-xr-x 2 2014 0 4096 Mar 28 11:48 postie
$ touch postie/foo
touch: cannot touch `postie/foo': Permission denied
To prove that the mount *is* mounted read-write, I'll change the ownership of
the directory on the server to uid 2014, rather than the postie user there (who
has uid 2012).
Now I run some commands on the client again:
$ ls -l
drwxr-xr-x 2 nobody root 4096 Mar 28 11:48 postie
$ ls -ln
drwxr-xr-x 2 65534 0 4096 Mar 28 11:48 postie
$ touch postie/foo
# It succeeds!
Any thoughts on this, or if there's a better place to report this bug?
** Affects: nfs-utils (Ubuntu)
Importance: Undecided
Status: New
** Tags: idmap idmapd nfs nfs4 uid
** Visibility changed to: Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/966734
Title:
nfs4 allows writes by incorrect users
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/966734/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
