From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007 Firebird/0.7 Description of problem: Used the redhat configuration tool for NFS in KDE in RHEL WS 3.0. System Settings -> NFS Configured a single mount point for export /tftpboot for three servers. The resulting file in /etc/export was as follows : /tftpboot 10.1.2.3 192.168.50.5 172.23.42.2(rw,sync,no_root_squash) This resulted in 10.1.2.3 and 192.168.50.5 mounting the filesystem in read-only because they did not have rw, sync or no_root_squash). Modified the file by hand and it worked fine : /tftpboot 10.1.2.3(rw,sync,no_root_squash) \ 192.168.50.5(rw,sync,no_root_squash) \ 172.23.42.2(rw,sync,no_root_squash) note: After the file is modified by hand, the tool fails to load in KDE. (RedHat -> System Settings -> NFS). Version-Release number of selected component (if applicable): redhat-config-nfs-1.0.13-1 How reproducible: Always Steps to Reproduce: 1.Start NFS config tool 2.Configure single mount point with multiple hosts 3.Select rw, sync, no_root_squash 4.Look in /etc/exports Actual Results: /tftpboot 10.1.2.3 192.168.50.5 172.23.42.2(rw,sync,no_root_squash) Expected Results: /tftpboot 10.1.2.3(rw,sync,no_root_squash) \ 192.168.50.5(rw,sync,no_root_squash) \ 172.23.42.2(rw,sync,no_root_squash) Additional info: Considering this a security issue as the permissions for the appropriate NFS mount are incorrect.
Created attachment 95829 [details] patch to propertiesWindow.py to set up multiple hosts correctly When you start nfs-config-nfs it already converts a single entry with multiple hosts to multiple entries, so why not set it up that way when adding multiple hosts. This fixes the security problem and leans towards the more readable format for the /etc/exports file.
Since this could cause an option such as "all_squash" to not being applied to all of the listed hosts, the Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0750 to this issue. Erratum in progress.
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2004-434.html
Whilst testing a patch for Fedora-Legacy (based on the RH patch), I found that the errata does not completely resolve the security issue. I have also confirmed this is the case on a server running RHEL 3 with the RedHat errata applied. If you edit an *existing* export and add additional hosts using the redhat-config-nfs tool, then the result is that incorrect permissions are applied to the export. This errata has only resolved the issue when creating *new* exports and not when editing existing ones.
Simon, would you please provide an example, what you did and what s/r-c-nfs does wrong?
OK, create a new share with 1 host and set (for example) "Treat all client users as anonymous squash" option. This generates the following /etc/exports entry: /var/tmp host1(ro,sync,all_squash) If I then select properties of that share and in the "hosts" box, add another host, I get the following /etc/exports entry: /var/tmp host1 host2(ro,sync,all_squash) and a warning on the controlling tty: exportfs: No options for /var/tmp host1: suggest host1(sync) to avoid warning i.e. what is wrong is that host1 does not have the correct options (in this case ro and all_squash being the important ones) applied. The errata has only fixed the issue when you create a *new* share with multiple hosts, not if you edit an existing share and add more hosts.
note: there's a patch by John Dalbec in #152787.
John Dalbec's patch in Bug #152787 that seems to fix Simon Thompson's issue in comment #9 is in attachment 116722 [details]. https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=116722
REOPENED status has been deprecated. ASSIGNED with keyword of Reopened is preferred.
EOL