Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 11 Mar 1997 06:53:07 -0600 (CST)
From:      "Thomas H. Ptacek" <tqbf@enteract.com>
To:        freebsd-security@freebsd.org
Subject:   NFS security issue...
Message-ID:  <199703111253.GAA14875@enteract.com>

next in thread | raw e-mail | index | archive | help

As we all know, the mount daemon can be configured to ignore mount procs
originating on non-reserved ports. MOUNTPROC_NULL will time out from
callrpc() if I'm a normal user requesting the service over loopback.

Unfortunately, the same consideration doesn't seem to be given to NFS
requests - I can successfully complete an NFSPROC_NULL through callrpc()
as a normal user, can't find any code in sys/nfs/nfs_socket.c that ever
checks the port on which NFS requests are originating, and can only assume
that any arbitrary user on my system, with knowledge of an NFS file
handle, can complete NFS transactions.

Is there a reason why nfssvc() can't be told to check the port on incoming
NFS requests? This seems to me to be a major loophole in the manner in
which NFS RPC requests are validated.

----------------
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com]
----------------
"If you're so special, why aren't you dead?"





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199703111253.GAA14875>