Date: Tue, 11 Mar 1997 06:53:07 -0600 (CST) From: "Thomas H. Ptacek" <tqbf@enteract.com> To: freebsd-security@freebsd.org Subject: NFS security issue... Message-ID: <199703111253.GAA14875@enteract.com>
next in thread | raw e-mail | index | archive | help
As we all know, the mount daemon can be configured to ignore mount procs originating on non-reserved ports. MOUNTPROC_NULL will time out from callrpc() if I'm a normal user requesting the service over loopback. Unfortunately, the same consideration doesn't seem to be given to NFS requests - I can successfully complete an NFSPROC_NULL through callrpc() as a normal user, can't find any code in sys/nfs/nfs_socket.c that ever checks the port on which NFS requests are originating, and can only assume that any arbitrary user on my system, with knowledge of an NFS file handle, can complete NFS transactions. Is there a reason why nfssvc() can't be told to check the port on incoming NFS requests? This seems to me to be a major loophole in the manner in which NFS RPC requests are validated. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "If you're so special, why aren't you dead?"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199703111253.GAA14875>