Bug 107997 - CVE-2004-0750 [PATCH] /etc/exports has incorrect syntax for multiple hosts with a single mount point
CVE-2004-0750 [PATCH] /etc/exports has incorrect syntax for multiple hosts wi...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: redhat-config-nfs (Show other bugs)
3.0
i686 Linux
high Severity medium
: ---
: ---
Assigned To: Nils Philippsen
impact=low,source=redhat,reported=200...
: Reopened, Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-10-25 17:50 EDT by John Buswell
Modified: 2010-11-01 06:11 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-01 06:11:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to propertiesWindow.py to set up multiple hosts correctly (1.32 KB, patch)
2003-11-08 13:07 EST, Shannon Mitchell
no flags Details | Diff

  None (edit)
Description John Buswell 2003-10-25 17:50:41 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007
Firebird/0.7

Description of problem:
Used the redhat configuration tool for NFS in KDE in RHEL WS 3.0.

System Settings -> NFS

Configured a single mount point for export /tftpboot for three
servers. The resulting file in /etc/export was as follows :

/tftpboot  10.1.2.3 192.168.50.5 172.23.42.2(rw,sync,no_root_squash)

This resulted in 10.1.2.3 and 192.168.50.5 mounting the filesystem in
read-only because they did not have rw, sync or no_root_squash). Modified the
file by hand and it worked fine :

/tftpboot  10.1.2.3(rw,sync,no_root_squash) \
           192.168.50.5(rw,sync,no_root_squash) \
           172.23.42.2(rw,sync,no_root_squash)

note: After the file is modified by hand, the tool fails to load in
KDE. (RedHat -> System Settings -> NFS).



Version-Release number of selected component (if applicable):
redhat-config-nfs-1.0.13-1

How reproducible:
Always

Steps to Reproduce:
1.Start NFS config tool
2.Configure single mount point with multiple hosts
3.Select rw, sync, no_root_squash
4.Look in /etc/exports
    

Actual Results:  /tftpboot  10.1.2.3 192.168.50.5
172.23.42.2(rw,sync,no_root_squash)

Expected Results:  /tftpboot  10.1.2.3(rw,sync,no_root_squash) \
           192.168.50.5(rw,sync,no_root_squash) \
           172.23.42.2(rw,sync,no_root_squash)

Additional info:

Considering this a security issue as the permissions for the
appropriate NFS mount are incorrect.
Comment 1 Shannon Mitchell 2003-11-08 13:07:15 EST
Created attachment 95829 [details]
patch to propertiesWindow.py to set up multiple hosts correctly

When you start nfs-config-nfs it already converts a single entry with multiple
hosts to multiple entries, so why not set it up that way when adding multiple
hosts.	This fixes the security problem and leans towards the more readable
format for the /etc/exports file.
Comment 4 Mark J. Cox (Product Security) 2004-08-16 09:33:41 EDT
Since this could cause an option such as "all_squash" to not being
applied to all of the listed hosts, the Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0750 to
this issue.  Erratum in progress.
Comment 6 Josh Bressers 2004-09-22 13:54:45 EDT
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-434.html
Comment 7 Simon Thompson 2005-02-11 04:15:41 EST
Whilst testing a patch for Fedora-Legacy (based on the RH patch), I
found that the errata does not completely resolve the security issue.

I have also confirmed this is the case on a server running RHEL 3 with
the RedHat errata applied.

If you edit an *existing* export and add additional hosts using the
redhat-config-nfs tool, then the result is that incorrect permissions
are applied to the export.

This errata has only resolved the issue when creating *new* exports
and not when editing existing ones.
Comment 8 Nils Philippsen 2005-02-11 04:50:59 EST
Simon, would you please provide an example, what you did and what
s/r-c-nfs does wrong?
Comment 9 Simon Thompson 2005-02-11 05:29:11 EST
OK, create a new share with 1 host and set (for example) "Treat all
client users as anonymous squash" option. This generates the following
/etc/exports entry:

  /var/tmp                 host1(ro,sync,all_squash)

If I then select properties of that share and in the "hosts" box, add
another host, I get the following /etc/exports entry:

  /var/tmp                 host1 host2(ro,sync,all_squash)

and a warning on the controlling tty:
exportfs: No options for /var/tmp host1: suggest host1(sync) to avoid
warning

i.e. what is wrong is that host1 does not have the correct options (in
this case ro and all_squash being the important ones) applied.

The errata has only fixed the issue when you create a *new* share with
multiple hosts, not if you edit an existing share and add more hosts.
Comment 10 Pekka Savola 2005-07-27 02:14:16 EDT
note: there's a patch by John Dalbec in #152787.
Comment 13 David Eisenstein 2005-09-30 00:41:53 EDT
John Dalbec's patch in Bug #152787 that seems to fix Simon Thompson's issue in
comment #9 is in attachment 116722 [details].

   https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=116722
Comment 21 Red Hat Bugzilla 2007-02-05 14:21:21 EST
REOPENED status has been deprecated. ASSIGNED with keyword of Reopened is preferred.
Comment 22 Mark J. Cox (Product Security) 2010-11-01 06:11:21 EDT
EOL

Note You need to log in before you can comment on or make changes to this bug.