public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Jesse Pollard <jesse@cats-chateau.net>
To: Andreas Dilger <adilger@clusterfs.com>
Cc: =?CP 1252?q?S=F8ren=20Hansen?= <sh@warma.dk>,
	"Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>
Subject: Re: UID/GID mapping system
Date: Thu, 11 Mar 2004 08:08:31 -0600	[thread overview]
Message-ID: <04031108083100.05054@tabby> (raw)
In-Reply-To: <20040310234640.GO1144@schnapps.adilger.int>

On Wednesday 10 March 2004 17:46, Andreas Dilger wrote:
> On Mar 10, 2004  15:41 -0600, Jesse Pollard wrote:
> > On Wednesday 10 March 2004 11:58, Søren Hansen wrote:
> > > The server can't trust the client as it is now anyway. The client can
> > > do whatever it wants already. There is no security impact as I see it.
> >
> > First, if the server refuses to map uids into what it considers system
> > (say, those less than 100... or better, 1000) then the daemons that may
> > be using those uids/gids on the server (or other hosts even) will be
> > protected from a simple mapping attack. Any attempt to do so will be
> > detected by the server, blocked, and reported.
> >
> > Second, if the various organizations are mapped, then only maps (and
> > uids/gids) authorized by those maps can be used. Any hanky panky on the
> > client host will ONLY involve those accounts/uids already on the client.
> > They will NOT be able to map to accounts/uids that are assigned to the
> > other organization. Again, attempts to access improper accounts will be
> > detected by the server, blocked,  and reported.
>
> I agree with Søren on this.  If the client is compromised such that the
> attacker can manipulate the maps (i.e. root) then there is no reason why
> the attacker can't just "su" to any UID it wants (regardless of mapping)
> and NFS is none-the-wiser.

Absolutely true. The attacker can do the "su" to any uid. Which is why the
server must be the one to provide the mapping service. The server does not
have to accept the UID unless it is one of the entries in the authorized map.

This isolates the penetration to only the accounts authorized to the
penetrated host.

And even root can be blocked from access to the server - in fact, root
could be mapped to any uid by the server (say for the purpose of remote
configuration files). The penetrated client can only access accounts that
were authorized by the server map.

> If the client is trusted to mount NFS, then it is also trusted enough not
> to use the wrong UID.  There is no "more" or "less" safe in this regard.

It is only trusted to not misuse the uids that are mapped for that client. If
the client DOES misuse the uids, then only those mapped uids will be affected.
UIDS that are not mapped for that host will be protected.

It is to ISOLATE the penetration to the host that this is done. The server
will not and should not extend trust to any uid not authorized to that host. 
This is what the UID/GID maps on the server provide.


  reply	other threads:[~2004-03-11 14:09 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-03-08 19:45 UID/GID mapping system Søren Hansen
2004-03-09 16:46 ` Jesse Pollard
2004-03-09 19:28   ` Søren Hansen
2004-03-10 15:28     ` Jesse Pollard
2004-03-10 17:58       ` Søren Hansen
2004-03-10 21:41         ` Jesse Pollard
2004-03-10 22:45           ` Trond Myklebust
2004-03-11  8:29             ` Søren Hansen
2004-03-11 14:31               ` Jesse Pollard
2004-03-11 14:45                 ` Søren Hansen
2004-03-11 15:58               ` J. Bruce Fields
2004-03-11 19:41               ` Trond Myklebust
2004-03-12  8:41                 ` Søren Hansen
2004-03-11 14:10             ` Jesse Pollard
2004-03-10 23:46           ` Andreas Dilger
2004-03-11 14:08             ` Jesse Pollard [this message]
2004-03-11 16:02               ` J. Bruce Fields
2004-03-12 13:58                 ` Jesse Pollard
2004-03-12 20:08                   ` J. Bruce Fields
2004-03-15 17:17                     ` Jesse Pollard
2004-03-15 17:49               ` Andreas Dilger
     [not found]             ` <fa.ct61k6d.bm43gj@ifi.uio.no>
2004-03-11 19:40               ` Kevin Buhr
2004-03-11 23:10                 ` Jamie Lokier
2004-03-12 14:49                 ` Pavel Machek
2004-03-11  8:22           ` Søren Hansen
2004-03-11 14:18             ` Jesse Pollard
2004-03-11 14:39               ` Søren Hansen
2004-03-12 13:52                 ` Jesse Pollard
2004-03-12 15:00                   ` Søren Hansen
2004-03-15 17:05                     ` Jesse Pollard
2004-03-16  8:08                       ` Søren Hansen
2004-03-09 19:28   ` Søren Hansen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=04031108083100.05054@tabby \
    --to=jesse@cats-chateau.net \
    --cc=adilger@clusterfs.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sh@warma.dk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox