Bug 57392 - netkit-rsh rshd rexecd in.rshd in.rexecd chdir nfs setuid
netkit-rsh rshd rexecd in.rshd in.rexecd chdir nfs setuid
Product: Red Hat Linux
Classification: Retired
Component: rsh (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Phil Knirsch
Depends On:
  Show dependency treegraph
Reported: 2001-12-11 11:05 EST by Alex Muntada
Modified: 2015-03-04 20:09 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-06-24 08:03:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
rshd patch: perform setuid before chdir (691 bytes, patch)
2001-12-11 11:56 EST, Alex Muntada
no flags Details | Diff
rshd.c, rexecd.c: perform setuid before chdir (1.26 KB, patch)
2001-12-11 12:38 EST, Alex Muntada
no flags Details | Diff

  None (edit)
Description Alex Muntada 2001-12-11 11:05:59 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.79 [en] (X11; U; SunOS 5.7 sun4u; Nav)

Description of problem:
in.rshd fails to change to user's home directory if it is mounted by
NFS because it performs chdir(2) syscall before setuid(2) and user
running in.rshd (i.e. root) becomes nobody in NFS mounts.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. "mount /home" by NFS from some other host.
2. "chmod o= /home/username" disabling access to user nobody (username
   should still have access to its own home).
3. "rsh -l username hostname" from a remote host.

Actual Results:  % pwd

Expected Results:  % pwd

Additional info:

There's a work-around to solve this issue but it has some security
drawbacks: "chmod o+x /home/username" enables user nobody to perform
chdir(2) syscall before changing UID through setuid(2). Users may not
want everybody to be able to access its home directory.

The best approach would be to modify rshd.c to perform UID changes
before chdir(2), which should be performed while running as the user
(not root nor nobody).

I've tested the latest source RPM available on ftp.redhat.com
(rsh-0.17-5.src.rpm) and the issue is still working in all 7.x
redhat versions.
Comment 1 Alex Muntada 2001-12-11 11:56:22 EST
Created attachment 40352 [details]
rshd patch: perform setuid before chdir
Comment 2 Alex Muntada 2001-12-11 12:35:25 EST
The same issue appears in rexecd.c from the same package as rshd.c.
Comment 3 Alex Muntada 2001-12-11 12:38:50 EST
Created attachment 40353 [details]
rshd.c, rexecd.c: perform setuid before chdir
Comment 4 Alex Muntada 2001-12-11 13:22:21 EST
I've found that the steps described above to reproduce this issue may not
fail in some scenarios, depending on the shell and environment settings
defined by the system and the user itself. These are the working ones:

Steps to reproduce: (1 and 2 are the same)
3. "rsh -l username hostname pwd" from a remote host.

Actual results:

Expected results:
Comment 5 Alex Muntada 2001-12-13 09:52:35 EST
After testing that the issue remains unresolved on the 7.2 version I've changed
the information
fields accordingly.
Comment 6 Phil Knirsch 2002-02-24 12:41:01 EST
Good point... I'll fix that in the upcoming package...

As another workaround you can also always use the no_root_squash option in your
exports. NFS is already very insecure by design, so doing so on an internal
network shouldn't be much worse.

Read ya, Phil
Comment 7 Tor Lillqvist 2002-04-09 08:07:16 EDT
A similar problem is present in su. It does a chdir() after only calling setfsuid(). If the home directory is NFS-mounted (and exported with root-to-nobody mapping). and 
protected like:

drwxrws---   80 root     lillqto1   262144 Apr  9 12:26 /home/lillqto1

su won't be able to chdir() into it after just a setfsuid().  (We have home directories protected like this so that users can't chmod them by accident or on purpose. The 
group is a per-user group.)

To be really correct, su should try the primary group, and then each supplementary group, for each doing a setfsgid() and trying the chdir(). But 
if that is too much..., at least for the case above, where the home directory's group is the user's primary group, it's enough to just add a call to setfsgid(pw->pw_gid) 
after the call to setfsuid().
Comment 8 Alex Muntada 2003-06-20 16:21:04 EDT
The issue still unresolved in Red Hat Linux 9.
Comment 9 Phil Knirsch 2003-06-24 08:03:00 EDT
OK, sorry. Fixed now finally in rsh-0.17-17, soon available via rawhide.

Read ya, Phil

Note You need to log in before you can comment on or make changes to this bug.