Bug 1443579
Summary: | NFS user mounts do not enforce 'noexec' | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Pierguido Lambri <plambri> | ||||
Component: | nfs-utils | Assignee: | Steve Dickson <steved> | ||||
Status: | CLOSED ERRATA | QA Contact: | Yongcheng Yang <yoyang> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 6.9 | CC: | ajmitchell, bcodding, cplummer+bz, dwysocha, plambri, rhandlin, smayhew, ssahsrab, steved, swhiteho, xzhou, yoyang | ||||
Target Milestone: | rc | Keywords: | Reproducer | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | nfs-utils-1.2.3-78.el6 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-06-19 05:08:05 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1461138, 1507140 | ||||||
Attachments: |
|
Description
Pierguido Lambri
2017-04-19 13:56:57 UTC
SteveD, please provide an update for this bug. I can not reproduce this with the latest nfs-utils version I can still reproduce it with the latest nfs-utils: RHEL6: $ uname -r 2.6.32-696.16.1.el6.x86_64 $ rpm -qa | grep nfs-utils nfs-utils-1.2.3-75.el6_9.x86_64 nfs-utils-lib-1.1.5-13.el6.x86_64 $ nfsstat -m /mnt from 192.168.122.10:/exports/ Flags: rw,relatime,vers=4,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.122.12,minorversion=0,local_lock=none,addr=192.168.122.10 $ ls -l /mnt/ls -rwxr-xr-x. 1 test test 117048 Dec 13 2017 /mnt/ls $ /mnt/ls -l total 0 -rw-rw-r--. 1 test test 0 Dec 13 10:28 test1 -rw-rw-r--. 1 test test 0 Dec 13 10:28 test2 -rw-rw-r--. 1 test test 0 Dec 13 10:28 test3 -rw-rw-r--. 1 test test 0 Dec 13 10:28 test4 -rw-rw-r--. 1 test test 0 Dec 13 10:28 test5 RHEL7: $ whoami test $ nfsstat -m /mnt from 192.168.122.10:/exports Flags: rw,nosuid,nodev,noexec,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.122.35,local_lock=none,addr=192.168.122.10 $ /mnt/ls -l -bash: /mnt/ls: Permission denied This looks like something we should try to resolve for 6.10, since there are security implications. Steve D, is the info in comment #9 enough for you to reproduce this? Created attachment 1417811 [details]
proposed patch
It looks like libmount is shipped as part of util-linux-ng in rhel6. I don't see a libmount-devel or a util-linux-ng-devel package, nor do a see a package providing libmount.h. It would be quite a bit of churn pulling in the libmount support in nfs-utils just so we get the correct flags on user mounts. So I suggest we just use the attached rhel6-only patch instead.
That patch looks to fix it. The mount command adds in the noexec,nosuid,noauto opts and hands them to mount.nfs which then discards them as untrusted and takes the unedited flags from fstab instead. The latest nfs-utils appears to still do this, but i assume the flags get fixed up by some later mechanism. (In reply to Scott Mayhew from comment #15) > Created attachment 1417811 [details] > proposed patch Got it... Thanks! > > It looks like libmount is shipped as part of util-linux-ng in rhel6. I > don't see a libmount-devel or a util-linux-ng-devel package, nor do a see a > package providing libmount.h. It would be quite a bit of churn pulling in > the libmount support in nfs-utils just so we get the correct flags on user > mounts. So I suggest we just use the attached rhel6-only patch instead. I agree... Moving to VERIFIED according to comment #20 now. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1855 |