Bug/security hole in NFS cache (1.3.68)

Robert H. de Vries (rhdv@fss.fokker.nl)
Fri, 23 Feb 1996 12:12:31 +0100 (MET)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jon Mitchell: "free reports in 68"
Previous message: Michael Meskes: "block devie: loop"

It seems that the NFS cache keeps its data without regard of who
requested it the first time.
You have to export the file system in such a way that root on the
mounting computer has no root privileges on the exporting computer as
given by the -root option in /etc/exports.
If you read a file as root without read permission, you get a file with NUL
characters only. If you read that same file with another UID with the
right permissions you see the same contents.
On the other hand if you read that file first as someone with read
privileges and read the file afterwards by root the file is OK.

Repeat by:
user$ ls -l
total 12
-r-------- 1 user users 5144 Feb 23 12:07 bar
-r-------- 1 user users 5144 Feb 23 12:07 foo
user$ less foo
<contents of foo>
user$ su
root# less foo
<contents of foo>
root# less bar
<lots of ^@ (NUL)>
root# exit
user$ less bar
<lots of ^@ (NUL)>
user$ uname -a
Linux hobbes 1.3.68 #1 Fri Feb 23 09:05:20 MET 1996 i586

Robert

-- 
Robert H. de Vries
Simulation and Robotics
Fokker Space B.V.
e-mail: rhdv@fss.fokker.nl
   tel: (+31)71-5245464
   fax: (+31)71-5245498

Next message: Jon Mitchell: "free reports in 68"
Previous message: Michael Meskes: "block devie: loop"