Re: Insecure hostname in nsm_make_temp_pathname

[Benjamin Coddington <bcodding@redhat.com>]

On 11 Nov 2024, at 17:49, Philip Rowlands wrote:

> If a host dies after nsm_make_temp_pathname but before rename(temp, path) we may be left with paths resembling .../server.example.com.new
>
> Some clever person has registered and installed a wildcard DNS record for *.com.new.
>
> $ host server.example.com.new
> server.example.com.new has address 104.21.68.132
> server.example.com.new has address 172.67.195.202
>
> You can see where this is going...
>
> Our firewall scanners tripped on outbound access to this address, port 111, I assume due to NSM reboot notifications.
>
> Suggested workarounds include:
> * explicitly skip over paths matching the expect tempname pattern in nsm_load_dir()
> * use a different tmp suffix than .new, e.g. one which won't work in DNS
>
> Steps to reproduce:
>
> # cat /var/lib/nfs/statd/sm/server.example.com.new
> 0100007f 000186b5 00000003 00000010 89ae3382e989d91800000000dc00ed000000ffff 1.2.3.4 my-client-name
> # sm-notify -d -f -n
> sm-notify: Version 2.7.1 starting
> sm-notify: Retired record for mon_name server.example.com.new
> sm-notify: Added host server.example.com.new to notify list
> sm-notify: Initializing NSM state
> sm-notify: Failed to open /proc/sys/fs/nfs/nsm_local_state: No such file or directory
> sm-notify: Effective UID, GID: 29, 29
> sm-notify: Sending PMAP_GETPORT for 100024, 1, udp
> sm-notify: Added host server.example.com.new to notify list
> sm-notify: Host server.example.com.new due in 2 seconds
> sm-notify: Sending PMAP_GETPORT for 100024, 1, udp
> # etc.
>
> tcpdump shows the outbound traffic:
> 22:42:31.940208 IP 192.168.0.131.819 > 172.67.195.202.sunrpc: UDP, length 56
> 22:42:33.942440 IP 192.168.0.131.819 > 172.67.195.202.sunrpc: UDP, length 56
> 22:42:37.946903 IP 192.168.0.131.819 > 172.67.195.202.sunrpc: UDP, length 56
>
> The client statd was artificially placed for the purposes of showing the problem, but I hope it's close enough to make sense.

Makes sense.. yikes!

Maybe we could just prepend '.' since nsm_load_dir() ignores those - Chuck, you were in here last any thoughts?


diff --git a/support/nsm/file.c b/support/nsm/file.c
index f5b448015751..eaf19cd4963e 100644
--- a/support/nsm/file.c
+++ b/support/nsm/file.c
@@ -185,9 +185,9 @@ nsm_make_temp_pathname(const char *pathname)
 {
        size_t size;
        char *path;
-       int len;
+       int le;

-       size = strlen(pathname) + sizeof(".new") + 2;
+       size = strlen(pathname) + sizeof(".new") + 3;
        if (size > PATH_MAX)
                return NULL;

@@ -195,7 +195,7 @@ nsm_make_temp_pathname(const char *pathname)
        if (path == NULL)
                return NULL;

-       len = snprintf(path, size, "%s.new", pathname);
+       len = snprintf(path, size, ".%s.new", pathname);
        if (error_check(len, size)) {
                free(path);
                return NULL;