Although obvious I believe, I forgot to mention that an alternate export
root must be configured for this to be an issue.
Christopher Bii wrote:
It is hinted in the configuration files that an attacker could gain
access to arbitrary folders by guessing symlink paths that match
exported dirs, but this is not the case. They can get access to the root
export with certainty by simply symlinking to "../../../../../../../",
which will nearly* always return "/".
This is due to realpath() being called in the main thread which isn't
chrooted, concatenating the result with the export root to create the
export entry's final absolute path which the kernel then exports.
Also, a linker issue arose so I have added another small hack just to
get it compiled correctly.
Christopher Bii (2):
Exportfs changes - When a export rootdir is present, nfsd_realpath()
wrapper is used to avoid symlink exploits. - Removed
canonicalization of rootdir paths. Export rootdir must now be an
absolute path. - Implemented nfsd_path.h
Temporary fix for build issue for mount util.
support/export/export.c | 24 +--
support/include/nfsd_path.h | 9 +-
support/misc/nfsd_path.c | 362 ++++++++++++------------------------
support/nfs/exports.c | 59 +++---
utils/exportfs/exportfs.c | 8 +-
5 files changed, 170 insertions(+), 292 deletions(-)
