Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!ames!haven!mimsy!chris From: chris@mimsy.UUCP (Chris Torek) Newsgroups: comp.unix.wizards Subject: Re: NFS security Message-ID: <13013@mimsy.UUCP> Date: 15 Aug 88 20:47:18 GMT References: <23289@labrea.Stanford.EDU> <8610@swan.ulowell.edu> Organization: U of Maryland, Dept. of Computer Science, Coll. Pk., MD 20742 Lines: 31 In article <8610@swan.ulowell.edu> arosen@eagle.ulowell.edu (MFHorn) writes: >An NFS server maps uid 0 from incoming RPC requests to 'nobody', which >is configured into the kernel. ... The default setting for nobody is >(in most implementaions) -2. This mapping is almost useless. If I am root on machine sneaky.edu, and want to be anyone else on machine uptight.edu, all I have to do is set my uid on sneaky. Granted, I cannot do anything as uid 0 on uptight, but I can do anything as anyone else. >Also, if you don't export any filesystmes to a particular host, that >host can do nothing to your host even if nobody is set to 0. *snicker* Actually, this almost works in some NFS implementations. In old SunOSes (I have no current ones so I have no idea if it has been fixed there), all I have to do is cobble up a request packet that claims my hostname is one to which you do export some file system, and your mount daemon will believe me. It does not even check the Internet address, just the name I stuff in my request packet! Even if you fix this, all I have to do is make up a suitable file handle. That can be anywhere from trivial (passive spying will show some fine handles) to somewhat hard. What is needed is real authentication. (SunOS 5.0 anyone? :-) ... actually, I understand Sun are working hard on this one.) -- In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7163) Domain: chris@mimsy.umd.edu Path: uunet!mimsy!chris