Date: Tue, 11 Mar 1997 14:57:13 +0100 (MET) From: Guido van Rooij <guido@gvr.win.tue.nl> To: tqbf@enteract.com Cc: freebsd-security@FreeBSD.org Subject: Re: NFS security issue... Message-ID: <199703111357.OAA27007@gvr.win.tue.nl> In-Reply-To: <199703111253.GAA14875@enteract.com> from "Thomas H. Ptacek" at "Mar 11, 97 06:53:07 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Thomas H. Ptacek wrote: > > As we all know, the mount daemon can be configured to ignore mount procs > originating on non-reserved ports. MOUNTPROC_NULL will time out from > callrpc() if I'm a normal user requesting the service over loopback. > > Unfortunately, the same consideration doesn't seem to be given to NFS > requests - I can successfully complete an NFSPROC_NULL through callrpc() > as a normal user, can't find any code in sys/nfs/nfs_socket.c that ever > checks the port on which NFS requests are originating, and can only assume > that any arbitrary user on my system, with knowledge of an NFS file > handle, can complete NFS transactions. > > Is there a reason why nfssvc() can't be told to check the port on incoming > NFS requests? This seems to me to be a major loophole in the manner in > which NFS RPC requests are validated. > I agre. But this is only true for special setups where no systems are involved that you do not control. I still think it is a valid point you make. I made somethig using a syscvtl variable. Perhaps the discussion should be done againb... -Guido
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199703111357.OAA27007>