NFSv4 security

Andrea Venturoli ml at netfence.it
Wed Oct 16 09:28:25 UTC 2013 

Hello.

Since I replaced my server with a 9.2 one, I'm playing with NFSv4 to 
test it.
However something does not work as I expect and I'm not sure if I 
understand it correctly or am doing some mistake.



Server side, this was my export:
 >/usr/home /usr/ports		-maproot=root	192.168.0.15

To enable NFSv4, I changed it like this:
 >V4:/	192.168.0.15
 >/usr/home /usr/ports		-maproot=root	192.168.0.15

(Of course, in the example above, I could root V4 at /usr, but this is 
going to grow; besides, this is not the point).



Now, on the client, I can:
 >mount -o nfsv4 192.168.0.1:/usr/ports /mnt/temp/
or
 >mount -o nfsv4 192.168.0.1:/usr/home /mnt/temp/

Both work.



Now, let's try to break in, going where I don't think I should be able 
to go.

 >mount -o nfsv4 192.168.0.1:/ /mnt/temp/

This is allowed; no surprises; quoting "man nfsv4":
>  The
>      nfsd(8) allows a limited subset of operations to be performed on non-
>      exported subtrees of the local file system, so that traversal of the tree
>      to the exported subtrees is possible.

Well, let's try it:
 > # ls /mnt/temp/
(no output)
Fine.

> # ls /mnt/temp/usr
> .snap	bin	games	home	include	lib	lib32	libdata	libexec	local	obj	ports	sbin	share	src

Strange, I though I would get an empty list here, too (!!!!).

> # ls /mnt/temp/usr/bin/
> CC			chsh			file			ipcs			mailq			pawd			soelim			users
> Mail			ci			file2c			jobs			mailx			perl			sort			uudecode
> addftinfo		cksum			find			join			make			perl5			split			uuencode
> addr2line		clang			finger			jot			makeinfo		perror			sscop			vacation
> afmtodit		clang++			flex			kadmin			makewhatis		pfbtops			ssh			verify_krb5_conf
 > ...

What??? /usr/bin is not needed to get to /usr/home or /usr/ports/.

> # touch /mnt/temp/usr/bin/newbin
> # ls /mnt/temp/usr/bin/|grep newbin
> newbin

Hell! This is NOT supposed to work, as far as I understand it.


Why this?
Did I understang the docs wrong? (Besides, can someone give any link to 
a good description of how and why this tree thing was introduced?).
Is this some sort of interaction with older NFS?

Is something wrong with the following fragment of my server-side rc.conf:
 > #New NFSv4 config
> rpcbind_enable="YES"
> rpcbind_flags="-ls"
> nfs_server_enable="YES"
> nfsv4_server_enable="YES"
> nfsuserd_enable="YES"
 > #Old NFSv3 config, might be removed in the future
> nfs_server_flags="-u -n 8 -t"
> nfs_reserved_port_only="YES"
> rpc_statd_enable="YES"
> rpc_statd_flags="-p 918"
> rpc_lockd_enable="YES"
> rpc_lockd_flags="-p 868"
> #mountd_enable="YES"
> mountd_flags="-p 685"


  bye & Thanks
	av.

More information about the freebsd-questions mailing list