Date: Tue, 29 Apr 1997 14:53:53 -0700 From: pius@ienet.com To: freebsd-fs@freebsd.org Cc: terryl@ienet.com Subject: nfs cache permissions problem? Message-ID: <199704292153.OAA11773@iago.ienet.com>
next in thread | raw e-mail | index | archive | help
I've noticed that in a certain case it is possible for a user to obtain access to an NFS-mounted file to which he should not (and does not if the fs were mounted locally) have access to. Here's an example: On host1 (NFS server) (/home -> usr/home): /home/pius>ls -al drwx------ 8 pius wheel 512 Apr 24 15:20 . drwxr-xr-x 8 root wheel 512 Apr 29 12:32 .. -rw-r--r-- 1 pius wheel 227 Nov 14 04:03 .cshrc /home/pius> Only user "pius" should have access to ".cshrc" because the x bit of the directory is off for everyone else. Now host1 exports /usr with -maproot=root -network=A.B.C On host2 (NFS client): (1) su to root mount host1:/usr /mnt (2) user "test" logs in (or is logged in) and tries the following: /home/test>more /mnt/home/pius/.cshrc /mnt/home/pius/.cshrc: Permission denied Ok, that's the expected behaviour. (3) now user "pius" logs in (or is logged in) and does the following: /home/pius>more /mnt/home/pius/.cshrc [ ... ] and he can see the file because user "pius" on the client has the same UID as user "pius" on the server. Ok, everything's still as expected. (4) Now user "test" repeats his last command: /home/test>more /mnt/home/pius/.cshrc [ ... ] and now he can read the file! If I "chmod o-r .cshrc", then user "test" can no longer read the file. I don't know much about NFS, but it appears that the requested file is being cached somewhere, and when it's requested again by another user, the path is not checked again to see that the user has execute permission for every part of the path. Only the permissions on the file itself are checked. By the way, I'm running the following machines: The machine running the NFS server is FreeBSD 2.1.7 (cvsupped and the world last made on 3/20/97) The machine running the NFS client is a pre-Lite2 FreeBSD 3.0 (cvsupped with date=97.02.10.00.00.00) But I can reproduce the same problem with the client on the 2.1.7 machine and the server on the 3.0 machine, with the client on the 2.1.7 machine and the server on a 2.1.5 machine, etc. I've seen a series of recent NFS-related commits to the 3.0 and 2.2 branches, but they seemed unrelated to this permissions problem. Is this something other people can reproduce? Is this just one of the expected hazards one is exposed to when using NFS (with -maproot=root)? Regards, Pius
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199704292153.OAA11773>