Wang, I know about "normal NFS" security issues... old times... "trust on host"... -_-' But I thought that this problem never happen using NFSv4+Kerberos5. In resume, it's more secure then only NFS (without Kerberos), but still have alot of serious security problems... On Wed, Aug 26, 2009 at 6:09 PM, le wang<lewang2000@xxxxxxxxx> wrote: > This is the security issue of NFS which exists extensively in NIS directory > environment since regular NFS authentication depends on UID and GID. > $ ypcat password |grep $FOO to get the user FOO's UID and GID; > Local root of ANY machine in this Directory could create a faked user with > FOO's UID and GID through cmd "groupadd" and "useradd", and then access > FOO's files on any machine. > If Kerberos 5 is applied, this kind of security issue could be solved > partially and limited on the scenario which Ondrej described below. > -Le > > > On Wed, Aug 26, 2009 at 7:51 AM, Ondrej Valousek <webserv@xxxxxxxxxx> wrote: >> >> This issue has already been discussed on this list. >> Local root has access to all credentials stored on that machine and there >> is nothing you can do with this. You can only tell the user not to log to a >> machine which is already compromised by malicious attacker having root >> access. >> Ondrej >> >> Carlos André wrote: >>> >>> I got a strange security issue. I logon via SSH or local console with >>> my user and get a ticket, then if local root su to my user, local root >>> can access my files. >>> >>> I'm using CentOS 5.3: >>> kernel-2.6.18-128.2.1.el5 >>> krb5-workstation-1.6.1-31.el5_3.3 >>> >>> >>> SESSION 1: >>> ----------------------------------------------------------------- >>> $ ssh root@xxxxxxx >>> root@xxxxxxx's password: >>> Last login: Wed Aug 26 08:06:49 2009 from X >>> [root@KSTATION ~]# su carlos.andre >>> [carlos.andre@KSTATION root]$ klist >>> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_10000) >>> >>> >>> Kerberos 4 ticket cache: /tmp/tkt10000 >>> klist: You have no tickets cached >>> [carlos.andre@KSTATION root]$ cd /misc/home/carlos.andre >>> bash: cd: /misc/home/carlos.andre: Permission denied >>> [carlos.andre@KSTATION root]$ >>> ----------------------------------------------------------------- >>> [--OK--] >>> >>> >>> SESSION 2: >>> ----------------------------------------------------------------- >>> $ ssh carlos.andre@xxxxxxx >>> carlos.andre@xxxxxxx's password: >>> Last login: Wed Aug 26 08:01:33 2009 from X >>> [carlos.andre@KSTATION ~]$ klist >>> Ticket cache: FILE:/tmp/krb5cc_10000_PPLMqF >>> Default principal: carlos.andre@xxxx >>> >>> Valid starting Expires Service principal >>> 08/26/09 08:30:12 08/26/09 18:30:12 krbtgt/X.BR@xxxx >>> renew until 08/26/09 08:30:12 >>> >>> >>> Kerberos 4 ticket cache: /tmp/tkt10000 >>> klist: You have no tickets cached >>> [carlos.andre@KSTATION ~]$ cd /misc/home/carlos.andre >>> [carlos.andre@KSTATION carlos.andre]$ ls -la >>> total 8 >>> drwxrwx--- 2 carlos.andre users 4096 Aug 21 09:04 . >>> drwxr-xr-x 3 root root 0 Aug 26 08:30 .. >>> [carlos.andre@KSTATION carlos.andre]$ >>> ----------------------------------------------------------------- >>> [--OK--] >>> >>> >>> NOW BACK TO SESSION 1: >>> ----------------------------------------------------------------- >>> [carlos.andre@KSTATION root]$ cd /misc/home/carlos.andre >>> [carlos.andre@KSTATION carlos.andre]$ ls -la >>> total 8 >>> drwxrwx--- 2 carlos.andre users 4096 Aug 21 09:04 . >>> drwxr-xr-x 3 root root 0 Aug 26 08:30 .. >>> [carlos.andre@KSTATION carlos.andre]$ klist >>> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_10000) >>> >>> >>> Kerberos 4 ticket cache: /tmp/tkt10000 >>> klist: You have no tickets cached >>> [carlos.andre@KSTATION carlos.andre]$ >>> ----------------------------------------------------------------- >>> [WTF!?!?] >>> >>> Then, if I log on someone machine, local root user (and 'su' to my >>> user) will have access to my files like NFS without Kerberos?? This >>> behavior is "correct" or it's a bug? >>> And more strange it's credentials, root 'su'ed to my user doesnt got >>> credentials, but still have access to my files... >>> >>> Or I'm doing something wrong? -_-' >>> >>> Thanks. >>> _______________________________________________ >>> NFSv4 mailing list >>> NFSv4@xxxxxxxxxxxxx >>> http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4 >>> >> >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > -- > Le Wang > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > The good man is the friend of all living things. > Gandhi, Mahatma(1869-1948) > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > _______________________________________________ > NFSv4 mailing list > NFSv4@xxxxxxxxxxxxx > http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4 > -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
