[Freeipa-users] insecure IPA'd NFS

Steven Jones Steven.Jones at vuw.ac.nz
Wed May 9 22:07:59 UTC 2012 

Hi

Im mounting the mount point via an xterm su - 'd to root in the user's gui......I then open a new xterm and cd to the mount pount /nfs1 and then cd into the "user" and edit files as I want...

I am editing files forged user that is in IPA with its forged UID....

So on the RHEL NFS server looking at the mount point /home which is exprted as /nfs1 and user home dir "thing2" I have file2....chmod'd to 0600 even....
=========
[root at vuwuniconfsipa1 thing2]# ls -aln
total 12
drwx------.  2 125800040 125800040 4096 May  9 17:13 .
drwxr-xr-x. 23         0         0 4096 May  9 14:40 ..
-rw-rw-r--.  1 125800040 125800040    0 May  9 14:45 file
-rw-------.  1 125800040 125800040  108 May  9 17:13 file2
-rw-rw-r--.  1 125800040 125800040    0 May  9 15:34 file3
[root at vuwuniconfsipa1 thing2]# ls -al
total 12
drwx------.  2 thing2 thing2 4096 May  9 17:13 .
drwxr-xr-x. 23 root   root   4096 May  9 14:40 ..
-rw-rw-r--.  1 thing2 thing2    0 May  9 14:45 file
-rw-------.  1 thing2 thing2  108 May  9 17:13 file2
-rw-rw-r--.  1 thing2 thing2    0 May  9 15:34 file3
[root at vuwuniconfsipa1 thing2]# 
=========

On ubuntu,
=========
thing2 at thing-KVM:~$ cd /nfs1/
thing2 at thing-KVM:/nfs1$ ls -l
total 0
thing2 at thing-KVM:/nfs1$ cd ..
thing2 at thing-KVM:/$ su -
Password: 
root at thing-KVM:~# mount -t nfs 130.195.53.203:/home/ /nfs1
root at thing-KVM:~# logout
thing2 at thing-KVM:/$ cd /nfs1/
thing2 at thing-KVM:/nfs1$ ls -l
total 96
drwx------  2 4294967294 4294967294  4096 2012-02-08 21:26 buchanj1
drwx------  2 4294967294 4294967294  4096 2012-02-08 21:26 irwinph
drwxr-xr-x  4 4294967294 4294967294  4096 2012-05-10 09:27 jonesst1
drwx------  2 4294967294 4294967294 16384 2012-02-08 03:10 lost+found
drwx------  2 4294967294 4294967294  4096 2012-02-08 21:26 nelsonde
drwx------  2 4294967294 4294967294  4096 2012-02-08 21:26 nfsnobody
drwx------  2 4294967294 4294967294  4096 2012-02-08 21:26 sabitoan
drwx------  2 4294967294 4294967294  4096 2012-02-08 21:26 share
drwx------  2 4294967294 4294967294  4096 2012-02-08 21:26 smithsi
drwx------  8 4294967294 4294967294  4096 2012-02-13 15:18 ssj10
drwx------  8 4294967294 4294967294  4096 2012-02-13 14:46 ssj11
drwx------  7 4294967294 4294967294  4096 2012-02-14 10:12 ssj12
drwx------  2 4294967294 4294967294  4096 2012-02-13 14:23 ssj3
drwx------  8 4294967294 4294967294  4096 2012-02-13 14:27 ssj4
drwx------  8 4294967294 4294967294  4096 2012-02-13 14:39 ssj5
drwx------  8 4294967294 4294967294  4096 2012-02-13 14:46 ssj6
drwx------  8 4294967294 4294967294  4096 2012-02-13 14:46 ssj7
drwx------  8 4294967294 4294967294  4096 2012-02-13 14:46 ssj8
drwx------  2 4294967294 4294967294  4096 2012-05-09 17:13 thing2
drwx------  2 4294967294 4294967294  4096 2012-02-08 21:26 tranwa
drwx------ 23 4294967294 4294967294  4096 2012-02-13 10:10 tthing
thing2 at thing-KVM:/nfs1$ cd thign2
-bash: cd: thign2: No such file or directory
thing2 at thing-KVM:/nfs1$ cd thing2
thing2 at thing-KVM:/nfs1/thing2$ ls -l
total 4
-rw-rw-r-- 1 4294967294 4294967294   0 2012-05-09 14:45 file
-rw------- 1 4294967294 4294967294 108 2012-05-09 17:13 file2
-rw-rw-r-- 1 4294967294 4294967294   0 2012-05-09 15:34 file3
thing2 at thing-KVM:/nfs1/thing2$ vi file2
thing2 at thing-KVM:/nfs1/thing2$ 
===========

and I can edit and save the file using vi.....kind of hard to show but the size changes,

===========
thing2 at thing-KVM:/nfs1/thing2$ ls -l
total 4
-rw-rw-r-- 1 4294967294 4294967294   0 2012-05-09 14:45 file
-rw------- 1 4294967294 4294967294 112 2012-05-10 09:54 file2
-rw-rw-r-- 1 4294967294 4294967294   0 2012-05-09 15:34 file3
thing2 at thing-KVM:/nfs1/thing2$ 

==========
[jonesst1 at vuwunicorh6ws05 ~]$ df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroupboot-LogVolroot
                      4.8G  755M  3.9G  17% /
tmpfs                1004M  272K 1004M   1% /dev/shm
/dev/sda1             194M   71M  114M  39% /boot
/dev/mapper/VolGroupboot-LogVolhome
                       48G  184M   46G   1% /home
/dev/mapper/VolGroupboot-LogVolopt
                      2.0G   35M  1.9G   2% /opt
/dev/mapper/VolGroupboot-LogVoltmp
                      4.9G  140M  4.5G   3% /tmp
/dev/mapper/VolGroupboot-LogVolusr
                      9.7G  2.3G  7.0G  25% /usr
/dev/mapper/VolGroupboot-LogVolvar
                      3.9G  953M  2.8G  26% /var
/dev/mapper/VolGroupboot-LogVolaudit
                      3.9G   91M  3.6G   3% /var/log/audit
130.195.53.203:/home/thing2
                       58G  182M   55G   1% /nfs1/thing2

[jonesst1 at vuwunicorh6ws05 ~]$ cd /nfs1/
[jonesst1 at vuwunicorh6ws05 nfs1]$ ls -al
total 12
drwxr-xr-x.  3 root   root      0 May  9 16:19 .
dr-xr-xr-x. 36 root   root   4096 May  9 16:17 ..
drwx------.  2 thing2 thing2 4096 May 10 09:54 thing2
[jonesst1 at vuwunicorh6ws05 nfs1]$ ls -aln
total 12
drwxr-xr-x.  3         0         0    0 May  9 16:19 .
dr-xr-xr-x. 36         0         0 4096 May  9 16:17 ..
drwx------.  2 125800040 125800040 4096 May 10 09:54 thing2
[jonesst1 at vuwunicorh6ws05 nfs1]$ cd thing2
-bash: cd: thing2: Permission denied
[jonesst1 at vuwunicorh6ws05 nfs1]$ 
===========

So an IPA user jonesst1 getting into IPA user thing2 is denied.......so login as thing2,
===========
[jonesst1 at 8kxl72s ~]$ ssh vuwunicorh6ws05.ods.vuw.ac.nz -l thing2
thing2 at vuwunicorh6ws05.ods.vuw.ac.nz's password: 
Last login: Thu May 10 10:05:46 2012 from 130.195.245.249
Kickstarted on 2012-02-08
[thing2 at vuwunicorh6ws05 ~]$ cd nfs1
[thing2 at vuwunicorh6ws05 nfs1]$ ls -l
total 0
lrwxrwxrwx. 1 thing2 thing2 12 May  9 15:34 thing2 -> /nfs1/thing2
[thing2 at vuwunicorh6ws05 nfs1]$ cd thing2
[thing2 at vuwunicorh6ws05 thing2]$ ls -aln
total 8
drwx------. 2 125800040 125800040 4096 May 10 09:54 .
drwxr-xr-x. 3         0         0    0 May  9 16:19 ..
-rw-rw-r--. 1 125800040 125800040    0 May  9 14:45 file
-rw-------. 1 125800040 125800040  112 May 10 09:54 file2
-rw-rw-r--. 1 125800040 125800040    0 May  9 15:34 file3
[thing2 at vuwunicorh6ws05 thing2]$ tail file2
blah blah
blah4
blah5
dddddubuntu
ubuntu2
blah5 no2
ubuntu2
chmod is 0600
ubuntu via ssh
add
[thing2 at vuwunicorh6ws05 thing2]$ 
===========

so...Im confused....

===========
[root at vuwuniconfsipa1 thing2]# more /etc/exports
#/home	*(rw,sync,all_squash,insecure)
/home	*(rw,sec=sys:krb5:krb5i:krb5p)
[root at vuwuniconfsipa1 thing2]# 
==========

Should sec=sys be there?

No idea what Im doing wrong....

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Thursday, 10 May 2012 9:38 a.m.
To: Steven Jones
Cc: Freeipa-users at redhat.com
Subject: Re: [Freeipa-users] insecure IPA'd NFS

Steven Jones wrote:
> I just setup a RHEL6 server as a NFS server and I have 2 x RHEL6 workstation clients doing NFS via automount as per section 10.3 admin guide 6.3beta....all good until I use a Ubuntu client to 'attack it"  I find the non-IPA's ubuntu client can delete, alter and edit files......kind of Oops....I think there is a stage missing in the doc or a bug.......can someone have a look at that doc and tell me if a step is missing please?

I think more details are needed on what you set up.

How is the Ubuntu client mounting the NFS mount? As what user are you
changing files?

rob

More information about the Freeipa-users mailing list