From Bugzilla Helper: User-Agent: Mozilla/4.79 [en] (X11; U; SunOS 5.7 sun4u; Nav) Description of problem: in.rshd fails to change to user's home directory if it is mounted by NFS because it performs chdir(2) syscall before setuid(2) and user running in.rshd (i.e. root) becomes nobody in NFS mounts. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. "mount /home" by NFS from some other host. 2. "chmod o= /home/username" disabling access to user nobody (username should still have access to its own home). 3. "rsh -l username hostname" from a remote host. Actual Results: % pwd / Expected Results: % pwd /home/username Additional info: There's a work-around to solve this issue but it has some security drawbacks: "chmod o+x /home/username" enables user nobody to perform chdir(2) syscall before changing UID through setuid(2). Users may not want everybody to be able to access its home directory. The best approach would be to modify rshd.c to perform UID changes before chdir(2), which should be performed while running as the user (not root nor nobody). I've tested the latest source RPM available on ftp.redhat.com (rsh-0.17-5.src.rpm) and the issue is still working in all 7.x redhat versions.
Created attachment 40352 [details] rshd patch: perform setuid before chdir
The same issue appears in rexecd.c from the same package as rshd.c.
Created attachment 40353 [details] rshd.c, rexecd.c: perform setuid before chdir
I've found that the steps described above to reproduce this issue may not fail in some scenarios, depending on the shell and environment settings defined by the system and the user itself. These are the working ones: Steps to reproduce: (1 and 2 are the same) 3. "rsh -l username hostname pwd" from a remote host. Actual results: / Expected results: /home/username
After testing that the issue remains unresolved on the 7.2 version I've changed the information fields accordingly.
Good point... I'll fix that in the upcoming package... As another workaround you can also always use the no_root_squash option in your exports. NFS is already very insecure by design, so doing so on an internal network shouldn't be much worse. Read ya, Phil
A similar problem is present in su. It does a chdir() after only calling setfsuid(). If the home directory is NFS-mounted (and exported with root-to-nobody mapping). and protected like: drwxrws--- 80 root lillqto1 262144 Apr 9 12:26 /home/lillqto1 su won't be able to chdir() into it after just a setfsuid(). (We have home directories protected like this so that users can't chmod them by accident or on purpose. The group is a per-user group.) To be really correct, su should try the primary group, and then each supplementary group, for each doing a setfsgid() and trying the chdir(). But if that is too much..., at least for the case above, where the home directory's group is the user's primary group, it's enough to just add a call to setfsgid(pw->pw_gid) after the call to setfsuid().
The issue still unresolved in Red Hat Linux 9.
OK, sorry. Fixed now finally in rsh-0.17-17, soon available via rawhide. Read ya, Phil