On Thu, 2007-08-30 at 16:42 +0200, Jan Engelhardt wrote:
quoted text
> On Aug 30 2007 10:29, Trond Myklebust wrote:
> >On Thu, 2007-08-30 at 16:12 +0200, Jan Engelhardt wrote:
> >> 
> >> with NFS3, there is this 'root hole', i.e. any person who has a root 
> >> account (perhaps by use of a laptop) can mount an export (let's say this 
> >> export had the "root_squash" option), and still have a look at the user 
> >> files, because he can locally setuid() into another user.
> >> 
> >> So I was looking for alternatives. CIFS is my favorite candidate, but it 
> >> has a few issues right now. So does sshfs and about everything I have 
> >> come across. Since I remember NFS4 can use KRB5 authentification, my 
> >> question is, will the NFS(4) server process run with an fsuid equal to 
> >> the user that authenticated?
> >
> >NFSv3 should work fine with krb5 too, but that won't solve your problem
> >with setuid: kerberos saves the TGT in a file on /tmp, so root can still
> >suid and grab your cred (and the same goes for CIFS).
> 
> Hm? I do not see this problem with CIFS. The user may have local
> root, but on the server, he only has his non-root account on the
> server, and as such, can only operate on the server using this
> non-root fsuid.

With CIFS or other password based protocols (including RPCSEC_GSS) all
the root user needs in order to steal your identity is to grab a copy of
your password or a credential. It is not quite as trivial to do as
changing uid, but it is hardly rocket science if the compromised machine
is one that you log into regularly.

quoted text
>  Did I miss something? (Especially the /dev/mem thing
> is not quite clear to me.)
> 
> >BTW: even when this task is done, a creative root can still find ways to
> >subvert the security (he can read /dev/mem, replace the kernel with a
> >compromised one, ....). The bottom line is that if you can't trust root,
> >don't even log in.

What I'm saying is that the superuser can pretty much do whatever it
takes to grab either your kerberos password (e.g. install a keyboard
listener), a stored credential (read the contents of your kerberos
on-disk credential cache), or s/he can access the cached contents of the
file by hunting through /dev/kmem.

IOW: There is no such thing as security on a root-compromised machine.

Trond

-
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/