Re: [Freeipa-users] insecure IPA'd NFS

Steven Jones Wed, 09 May 2012 15:11:22 -0700

Hi

Im mounting the mount point via an xterm su - 'd to root in the user's 
gui......I then open a new xterm and cd to the mount pount /nfs1 and then cd 
into the "user" and edit files as I want...


I am editing files forged user that is in IPA with its forged UID....

So on the RHEL NFS server looking at the mount point /home which is exprted as 
/nfs1 and user home dir "thing2" I have file2....chmod'd to 0600 even....
=========
[root@vuwuniconfsipa1 thing2]# ls -aln
total 12
drwx------.  2 125800040 125800040 4096 May  9 17:13 .
drwxr-xr-x. 23         0         0 4096 May  9 14:40 ..
-rw-rw-r--.  1 125800040 125800040    0 May  9 14:45 file
-rw-------.  1 125800040 125800040  108 May  9 17:13 file2
-rw-rw-r--.  1 125800040 125800040    0 May  9 15:34 file3
[root@vuwuniconfsipa1 thing2]# ls -al
total 12
drwx------.  2 thing2 thing2 4096 May  9 17:13 .
drwxr-xr-x. 23 root   root   4096 May  9 14:40 ..
-rw-rw-r--.  1 thing2 thing2    0 May  9 14:45 file
-rw-------.  1 thing2 thing2  108 May  9 17:13 file2
-rw-rw-r--.  1 thing2 thing2    0 May  9 15:34 file3
[root@vuwuniconfsipa1 thing2]# 
=========

On ubuntu,
=========
thing2@thing-KVM:~$ cd /nfs1/
thing2@thing-KVM:/nfs1$ ls -l
total 0
thing2@thing-KVM:/nfs1$ cd ..
thing2@thing-KVM:/$ su -
Password: 
root@thing-KVM:~# mount -t nfs 130.195.53.203:/home/ /nfs1
root@thing-KVM:~# logout
thing2@thing-KVM:/$ cd /nfs1/
thing2@thing-KVM:/nfs1$ ls -l
total 96
drwx------  2 4294967294 4294967294  4096 2012-02-08 21:26 buchanj1
drwx------  2 4294967294 4294967294  4096 2012-02-08 21:26 irwinph
drwxr-xr-x  4 4294967294 4294967294  4096 2012-05-10 09:27 jonesst1
drwx------  2 4294967294 4294967294 16384 2012-02-08 03:10 lost+found
drwx------  2 4294967294 4294967294  4096 2012-02-08 21:26 nelsonde
drwx------  2 4294967294 4294967294  4096 2012-02-08 21:26 nfsnobody
drwx------  2 4294967294 4294967294  4096 2012-02-08 21:26 sabitoan
drwx------  2 4294967294 4294967294  4096 2012-02-08 21:26 share
drwx------  2 4294967294 4294967294  4096 2012-02-08 21:26 smithsi
drwx------  8 4294967294 4294967294  4096 2012-02-13 15:18 ssj10
drwx------  8 4294967294 4294967294  4096 2012-02-13 14:46 ssj11
drwx------  7 4294967294 4294967294  4096 2012-02-14 10:12 ssj12
drwx------  2 4294967294 4294967294  4096 2012-02-13 14:23 ssj3
drwx------  8 4294967294 4294967294  4096 2012-02-13 14:27 ssj4
drwx------  8 4294967294 4294967294  4096 2012-02-13 14:39 ssj5
drwx------  8 4294967294 4294967294  4096 2012-02-13 14:46 ssj6
drwx------  8 4294967294 4294967294  4096 2012-02-13 14:46 ssj7
drwx------  8 4294967294 4294967294  4096 2012-02-13 14:46 ssj8
drwx------  2 4294967294 4294967294  4096 2012-05-09 17:13 thing2
drwx------  2 4294967294 4294967294  4096 2012-02-08 21:26 tranwa
drwx------ 23 4294967294 4294967294  4096 2012-02-13 10:10 tthing
thing2@thing-KVM:/nfs1$ cd thign2
-bash: cd: thign2: No such file or directory
thing2@thing-KVM:/nfs1$ cd thing2
thing2@thing-KVM:/nfs1/thing2$ ls -l
total 4
-rw-rw-r-- 1 4294967294 4294967294   0 2012-05-09 14:45 file
-rw------- 1 4294967294 4294967294 108 2012-05-09 17:13 file2
-rw-rw-r-- 1 4294967294 4294967294   0 2012-05-09 15:34 file3
thing2@thing-KVM:/nfs1/thing2$ vi file2
thing2@thing-KVM:/nfs1/thing2$ 
===========

and I can edit and save the file using vi.....kind of hard to show but the size 
changes,

===========
thing2@thing-KVM:/nfs1/thing2$ ls -l
total 4
-rw-rw-r-- 1 4294967294 4294967294   0 2012-05-09 14:45 file
-rw------- 1 4294967294 4294967294 112 2012-05-10 09:54 file2
-rw-rw-r-- 1 4294967294 4294967294   0 2012-05-09 15:34 file3
thing2@thing-KVM:/nfs1/thing2$ 

==========
[jonesst1@vuwunicorh6ws05 ~]$ df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroupboot-LogVolroot
                      4.8G  755M  3.9G  17% /
tmpfs                1004M  272K 1004M   1% /dev/shm
/dev/sda1             194M   71M  114M  39% /boot
/dev/mapper/VolGroupboot-LogVolhome
                       48G  184M   46G   1% /home
/dev/mapper/VolGroupboot-LogVolopt
                      2.0G   35M  1.9G   2% /opt
/dev/mapper/VolGroupboot-LogVoltmp
                      4.9G  140M  4.5G   3% /tmp
/dev/mapper/VolGroupboot-LogVolusr
                      9.7G  2.3G  7.0G  25% /usr
/dev/mapper/VolGroupboot-LogVolvar
                      3.9G  953M  2.8G  26% /var
/dev/mapper/VolGroupboot-LogVolaudit
                      3.9G   91M  3.6G   3% /var/log/audit
130.195.53.203:/home/thing2
                       58G  182M   55G   1% /nfs1/thing2

[jonesst1@vuwunicorh6ws05 ~]$ cd /nfs1/
[jonesst1@vuwunicorh6ws05 nfs1]$ ls -al
total 12
drwxr-xr-x.  3 root   root      0 May  9 16:19 .
dr-xr-xr-x. 36 root   root   4096 May  9 16:17 ..
drwx------.  2 thing2 thing2 4096 May 10 09:54 thing2
[jonesst1@vuwunicorh6ws05 nfs1]$ ls -aln
total 12
drwxr-xr-x.  3         0         0    0 May  9 16:19 .
dr-xr-xr-x. 36         0         0 4096 May  9 16:17 ..
drwx------.  2 125800040 125800040 4096 May 10 09:54 thing2
[jonesst1@vuwunicorh6ws05 nfs1]$ cd thing2
-bash: cd: thing2: Permission denied
[jonesst1@vuwunicorh6ws05 nfs1]$ 
===========

So an IPA user jonesst1 getting into IPA user thing2 is denied.......so login 
as thing2,
===========
[jonesst1@8kxl72s ~]$ ssh vuwunicorh6ws05.ods.vuw.ac.nz -l thing2
[email protected]'s password: 
Last login: Thu May 10 10:05:46 2012 from 130.195.245.249
Kickstarted on 2012-02-08
[thing2@vuwunicorh6ws05 ~]$ cd nfs1
[thing2@vuwunicorh6ws05 nfs1]$ ls -l
total 0
lrwxrwxrwx. 1 thing2 thing2 12 May  9 15:34 thing2 -> /nfs1/thing2
[thing2@vuwunicorh6ws05 nfs1]$ cd thing2
[thing2@vuwunicorh6ws05 thing2]$ ls -aln
total 8
drwx------. 2 125800040 125800040 4096 May 10 09:54 .
drwxr-xr-x. 3         0         0    0 May  9 16:19 ..
-rw-rw-r--. 1 125800040 125800040    0 May  9 14:45 file
-rw-------. 1 125800040 125800040  112 May 10 09:54 file2
-rw-rw-r--. 1 125800040 125800040    0 May  9 15:34 file3
[thing2@vuwunicorh6ws05 thing2]$ tail file2
blah blah
blah4
blah5
dddddubuntu
ubuntu2
blah5 no2
ubuntu2
chmod is 0600
ubuntu via ssh
add
[thing2@vuwunicorh6ws05 thing2]$ 
===========

so...Im confused....

===========
[root@vuwuniconfsipa1 thing2]# more /etc/exports
#/home  *(rw,sync,all_squash,insecure)
/home   *(rw,sec=sys:krb5:krb5i:krb5p)
[root@vuwuniconfsipa1 thing2]# 
==========

Should sec=sys be there?

No idea what Im doing wrong....

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Rob Crittenden [[email protected]]
Sent: Thursday, 10 May 2012 9:38 a.m.
To: Steven Jones
Cc: [email protected]
Subject: Re: [Freeipa-users] insecure IPA'd NFS

Steven Jones wrote:
> I just setup a RHEL6 server as a NFS server and I have 2 x RHEL6 workstation 
> clients doing NFS via automount as per section 10.3 admin guide 
> 6.3beta....all good until I use a Ubuntu client to 'attack it"  I find the 
> non-IPA's ubuntu client can delete, alter and edit files......kind of 
> Oops....I think there is a stage missing in the doc or a bug.......can 
> someone have a look at that doc and tell me if a step is missing please?

I think more details are needed on what you set up.

How is the Ubuntu client mounting the NFS mount? As what user are you
changing files?

rob

_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] insecure IPA'd NFS

Reply via email to