Red Hat Bugzilla – Bug 57392
netkit-rsh rshd rexecd in.rshd in.rexecd chdir nfs setuid
Last modified: 2015-03-04 20:09:57 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.79 [en] (X11; U; SunOS 5.7 sun4u; Nav)
Description of problem:
in.rshd fails to change to user's home directory if it is mounted by
NFS because it performs chdir(2) syscall before setuid(2) and user
running in.rshd (i.e. root) becomes nobody in NFS mounts.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. "mount /home" by NFS from some other host.
2. "chmod o= /home/username" disabling access to user nobody (username
should still have access to its own home).
3. "rsh -l username hostname" from a remote host.
Actual Results: % pwd
Expected Results: % pwd
There's a work-around to solve this issue but it has some security
drawbacks: "chmod o+x /home/username" enables user nobody to perform
chdir(2) syscall before changing UID through setuid(2). Users may not
want everybody to be able to access its home directory.
The best approach would be to modify rshd.c to perform UID changes
before chdir(2), which should be performed while running as the user
(not root nor nobody).
I've tested the latest source RPM available on ftp.redhat.com
(rsh-0.17-5.src.rpm) and the issue is still working in all 7.x
Created attachment 40352 [details]
rshd patch: perform setuid before chdir
The same issue appears in rexecd.c from the same package as rshd.c.
Created attachment 40353 [details]
rshd.c, rexecd.c: perform setuid before chdir
I've found that the steps described above to reproduce this issue may not
fail in some scenarios, depending on the shell and environment settings
defined by the system and the user itself. These are the working ones:
Steps to reproduce: (1 and 2 are the same)
3. "rsh -l username hostname pwd" from a remote host.
After testing that the issue remains unresolved on the 7.2 version I've changed
Good point... I'll fix that in the upcoming package...
As another workaround you can also always use the no_root_squash option in your
exports. NFS is already very insecure by design, so doing so on an internal
network shouldn't be much worse.
Read ya, Phil
A similar problem is present in su. It does a chdir() after only calling setfsuid(). If the home directory is NFS-mounted (and exported with root-to-nobody mapping). and
drwxrws--- 80 root lillqto1 262144 Apr 9 12:26 /home/lillqto1
su won't be able to chdir() into it after just a setfsuid(). (We have home directories protected like this so that users can't chmod them by accident or on purpose. The
group is a per-user group.)
To be really correct, su should try the primary group, and then each supplementary group, for each doing a setfsgid() and trying the chdir(). But
if that is too much..., at least for the case above, where the home directory's group is the user's primary group, it's enough to just add a call to setfsgid(pw->pw_gid)
after the call to setfsuid().
The issue still unresolved in Red Hat Linux 9.
OK, sorry. Fixed now finally in rsh-0.17-17, soon available via rawhide.
Read ya, Phil