[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Old(?) NFS security problem -- nothing to do with NFS ...

To: LUCI List <luci-discuss@luci.org>
Subject: Re: Old(?) NFS security problem -- nothing to do with NFS ...
From: "Bryan J. Smith" <b.j.smith@ieee.org>
Date: Sun, 31 Jul 2005 20:24:43 -0500
In-Reply-To: <20050801010720.95508.qmail@web53805.mail.yahoo.com>
Organization: Linux Users of Central Illinois
References: <20050801010720.95508.qmail@web53805.mail.yahoo.com>
Reply-To: luci-discuss@luci.org
Sender: luci-discuss-owner@luci.org

On Sun, 2005-07-31 at 18:07 -0700, Travite Davies wrote:
> Hey Everyone,
> I am researching NFS for a linux Security and administration course I
> am taking. I cam across information about a security problem in the
> NFS HOW-TO Where if the IP is spoofed an attacker can gain access to
> host. And that if the attacker's Username on the client machine has
> the same effective UID as the user who's exported volume the attacker
> is accessing, the attacker is also the owner and can modify files. 
> I Know the How-to is old, and I was wondering if you can point me in
> the right direction to sites which address the issue to safe guard
> against it, or if it is still a problem.
> Thank you for any help you can provide
> Travis

One thing that trips people up is the fact that NFS is just the network
file service.  If you don't use any authentication except for legacy
UNIX trust by IP, then you deserve what you get.

Same deal with Common Internet Filesystem (CIFS) aka "Windows
Networking" networks.  If you use the Server Message Block (SMB)
services without authentication, it is very easy to spoof all-the-same.

In fact, in pre-ADS (Kerberos-based) CIFS "domains," you can easily
spoof an authorized Windows member of a domain by capturing its fixed
hash and replaying it from the same IP.  You can do the same for users.
The "encrypted passwords" and "machine passwords" of pre-ADS are _false_
security approaches (and enforced with false security client defaults).
And it defaults to allowing "null sessions" -- which is basically the
same problem with NIS password/shadow maps.  And, even more ironically,
CIFS and even "Legacy/Compatibility Mode" ADS server security can be
_worse_ than even NIS if the passwd/shadow maps do not contain the
password (because another authentication system and password store is
used).

A ticketing system like Kerberos offers a true authentication of systems
to other systems, as well as users and other principles, so objects in a
network can be trusted and, most importantly, for a limited time.  In
the best, well configured case, a Kerberosized system and/or server will
not trust a principle (e.g., a user on a particular system or in a
particular realm) _unless_ a ticket has been granted by the KDC for
specific access to that system.  In the common, simplified case, the
ticket merely provides time-limited proof that the principle accessing a
resource is who they say they really are.

A key hallmark of Kerberos is the Kerberos Distribution Center (KDC) aka
"key server" that distributes the time-limited tickets.  It should be
segmented from all other services, and well defended.  Unfortunately for
ADS, the KDC is just another Domain Controller (DC) with all the same
RPC services on the same system.  In other words, KDCs are very hackable
in Windows ADS networks.

System/user authentication has nothing to do with NFS _unless_ you leave
NFS in a state where systems use legacy UNIX authentication and trust
the ID NFS clients send.  The same is true of Windows Networking setups,
unless you setup a domain.  And as I discussed above, CIFS as well as
"Legacy/Compatibility Mode" of ADS still has serious difficiencies in
this regard.

It should be noted that Sun NIS+ (RSA), Sun One (RSA + LDAP via Netscape
Directory Server) and Novell eDirectory (RSA + proprietary X.500/DAP)
all use RSA ticketing.  Microsoft based ADS off of Kerberos, which is
what all UNIX systems are capable of.  Red Hat Linux as of version 7, so
all versions of Fedora Core and Red Hat Enterprise Linux, are
Kerberosized, including NIS and NFS client support (and Kerberos
authentication instead of hashes in passwd/shadow) out-of-the-box.  Via
PAM, NSSwitch and other features, any Linux client can handle a variety
of authentication approaches.

-- 
Bryan J. Smith   b.j.smith@ieee.org      http://thebs413.blogspot.com
--------------------------------------------------------------------- 
It is mathematically impossible for someone who makes more than you
to be anything but richer than you.  Any tax rate that penalizes them
will also penalize you similarly (to those below you, and then below
them).  This is why someone who makes more than you always gets at
least the same, if not a bigger, tax cut.  Otherwise is impossible.

-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.

References:
- Old(?) NFS security problem
  - From: Travite Davies <travitedavies@yahoo.com>

Prev by Date: Old(?) NFS security problem
Prev by thread: Old(?) NFS security problem
Next by thread: OSS document imaging
Index(es):
- Date
- Thread