From owner-freebsd-security Tue Mar 11 04:53:14 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id EAA28146 for security-outgoing; Tue, 11 Mar 1997 04:53:14 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA28136 for ; Tue, 11 Mar 1997 04:53:10 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id GAA14875 for freebsd-security@freebsd.org; Tue, 11 Mar 1997 06:53:09 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199703111253.GAA14875@enteract.com> Subject: NFS security issue... To: freebsd-security@freebsd.org Date: Tue, 11 Mar 1997 06:53:07 -0600 (CST) Reply-To: tqbf@enteract.com X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk As we all know, the mount daemon can be configured to ignore mount procs originating on non-reserved ports. MOUNTPROC_NULL will time out from callrpc() if I'm a normal user requesting the service over loopback. Unfortunately, the same consideration doesn't seem to be given to NFS requests - I can successfully complete an NFSPROC_NULL through callrpc() as a normal user, can't find any code in sys/nfs/nfs_socket.c that ever checks the port on which NFS requests are originating, and can only assume that any arbitrary user on my system, with knowledge of an NFS file handle, can complete NFS transactions. Is there a reason why nfssvc() can't be told to check the port on incoming NFS requests? This seems to me to be a major loophole in the manner in which NFS RPC requests are validated. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "If you're so special, why aren't you dead?"