NFS re-export - NFS

This is a discussion on NFS re-export - NFS ; Hello: Can an NFS-mounted directory be NFS re-exported in Linux? There used to be an --re-export option in rpc.nfsd (pre-2001?) but it is no longer there. Thx Pete...

+ Reply to Thread
Results 1 to 18 of 18

Thread: NFS re-export

  1. NFS re-export

    Hello:

    Can an NFS-mounted directory be NFS re-exported in Linux? There used
    to be an
    --re-export option in rpc.nfsd (pre-2001?) but it is no longer there.

    Thx

    Pete


  2. Re: NFS re-export

    On 9 Oct 2005 02:12:20 -0700, pete@market.ath.cx wrote:

    >Hello:
    >
    >Can an NFS-mounted directory be NFS re-exported in Linux? There used
    >to be an
    >--re-export option in rpc.nfsd (pre-2001?) but it is no longer there.
    >
    >Thx
    >
    >Pete



    I would think not since that could allow you to bypass the security of
    the original export.

    ~F

  3. Re: NFS re-export


    In article ,
    Faeandar writes:
    |> On 9 Oct 2005 02:12:20 -0700, pete@market.ath.cx wrote:
    |>
    |> >Can an NFS-mounted directory be NFS re-exported in Linux? There used
    |> >to be an
    |> >--re-export option in rpc.nfsd (pre-2001?) but it is no longer there.
    |>
    |> I would think not since that could allow you to bypass the security of
    |> the original export.

    Eh? Why would it? The export is more-or-less unconditional.


    Regards,
    Nick Maclaren.

  4. Re: NFS re-export

    On 10 Oct 2005 15:45:13 GMT, nmm1@cus.cam.ac.uk (Nick Maclaren) wrote:

    >
    >In article ,
    >Faeandar writes:
    >|> On 9 Oct 2005 02:12:20 -0700, pete@market.ath.cx wrote:
    >|>
    >|> >Can an NFS-mounted directory be NFS re-exported in Linux? There used
    >|> >to be an
    >|> >--re-export option in rpc.nfsd (pre-2001?) but it is no longer there.
    >|>
    >|> I would think not since that could allow you to bypass the security of
    >|> the original export.
    >
    >Eh? Why would it? The export is more-or-less unconditional.
    >
    >
    >Regards,
    >Nick Maclaren.


    Lets say the mounting Linux host mentioned is hostA, and it's
    re-exporting to hostB. If hostB does not have permissions to the
    original mount, it does now through hostA.

    ~F

  5. Re: NFS re-export

    In article <1ralk1d1a61t7t4525fb8m446n2a2v4br5@4ax.com>,
    Faeandar wrote:
    >>|>
    >>|> >Can an NFS-mounted directory be NFS re-exported in Linux? There used
    >>|> >to be an
    >>|> >--re-export option in rpc.nfsd (pre-2001?) but it is no longer there.
    >>|>
    >>|> I would think not since that could allow you to bypass the security of
    >>|> the original export.
    >>
    >>Eh? Why would it? The export is more-or-less unconditional.

    >
    >Lets say the mounting Linux host mentioned is hostA, and it's
    >re-exporting to hostB. If hostB does not have permissions to the
    >original mount, it does now through hostA.


    So? That allows hostB to do precisely nothing that it can't do by
    issuing a remote shell command to hostA to access the file system.


    Regards,
    Nick Maclaren.

  6. Re: NFS re-export


    "Faeandar" wrote in message
    news:lo2lk1lmpe9t7mn7udpd8lml0f5vm828nu@4ax.com...
    > On 9 Oct 2005 02:12:20 -0700, pete@market.ath.cx wrote:
    >
    >>Hello:
    >>
    >>Can an NFS-mounted directory be NFS re-exported in Linux? There used
    >>to be an
    >>--re-export option in rpc.nfsd (pre-2001?) but it is no longer there.
    >>
    >>Thx
    >>
    >>Pete

    >
    >
    > I would think not since that could allow you to bypass the security of
    > the original export.
    >
    > ~F


    So... If I mount an NFS filesystem, then export it over Samba
    would that be a security issue. Not really. Just the same privileges
    that rsh, or ssh, could have achieved. If a server "A" is exporting
    to "B" and "B" is exporting to "C", then the admin of the of
    "A" gave the permission for "B" to access the filesystem,
    and the admin of "B" gave permission to "C" to access the
    filesystem. ( I know, Windows won't do this, but that's hardly
    a good reason to chop off my nose)

    Enjoy
    Postmaster





  7. Re: NFS re-export

    On 10 Oct 2005 18:35:38 GMT, nmm1@cus.cam.ac.uk (Nick Maclaren) wrote:

    >In article <1ralk1d1a61t7t4525fb8m446n2a2v4br5@4ax.com>,
    >Faeandar wrote:
    >>>|>
    >>>|> >Can an NFS-mounted directory be NFS re-exported in Linux? There used
    >>>|> >to be an
    >>>|> >--re-export option in rpc.nfsd (pre-2001?) but it is no longer there.
    >>>|>
    >>>|> I would think not since that could allow you to bypass the security of
    >>>|> the original export.
    >>>
    >>>Eh? Why would it? The export is more-or-less unconditional.

    >>
    >>Lets say the mounting Linux host mentioned is hostA, and it's
    >>re-exporting to hostB. If hostB does not have permissions to the
    >>original mount, it does now through hostA.

    >
    >So? That allows hostB to do precisely nothing that it can't do by
    >issuing a remote shell command to hostA to access the file system.
    >
    >
    >Regards,
    >Nick Maclaren.


    but what if hostB has no rsh capabilities to hostA? Happens all the
    time. We restrict login access to hosts but allow nfs access to
    specific file systems. Specific example:

    Source_hostA exports only to admin_hostA. Admin_hostA has restricted
    login permissions so that only admins get login. Someone, for some
    reason (maybe they got passed over for promotion and are planning on
    leaving anyway), re-exports that file system to the world.

    We call that "bad".

    ~F

  8. Re: NFS re-export

    On Mon, 10 Oct 2005 20:31:50 GMT, "Postmaster"
    wrote:

    >
    >"Faeandar" wrote in message
    >news:lo2lk1lmpe9t7mn7udpd8lml0f5vm828nu@4ax.com...
    >> On 9 Oct 2005 02:12:20 -0700, pete@market.ath.cx wrote:
    >>
    >>>Hello:
    >>>
    >>>Can an NFS-mounted directory be NFS re-exported in Linux? There used
    >>>to be an
    >>>--re-export option in rpc.nfsd (pre-2001?) but it is no longer there.
    >>>
    >>>Thx
    >>>
    >>>Pete

    >>
    >>
    >> I would think not since that could allow you to bypass the security of
    >> the original export.
    >>
    >> ~F

    >
    >So... If I mount an NFS filesystem, then export it over Samba
    >would that be a security issue. Not really. Just the same privileges
    >that rsh, or ssh, could have achieved. If a server "A" is exporting
    >to "B" and "B" is exporting to "C", then the admin of the of
    >"A" gave the permission for "B" to access the filesystem,
    >and the admin of "B" gave permission to "C" to access the
    >filesystem. ( I know, Windows won't do this, but that's hardly
    >a good reason to chop off my nose)
    >
    >Enjoy
    >Postmaster
    >
    >
    >


    See recent re-post. Not all hosts enjoy rsh or ssh access to all
    other hosts.

    ~F

  9. Re: NFS re-export


    "Faeandar" wrote in message
    news:i84mk1h6tq5seh4e28am1t7nv3euv224hs@4ax.com...
    > On 10 Oct 2005 18:35:38 GMT, nmm1@cus.cam.ac.uk (Nick Maclaren) wrote:
    >
    >>In article <1ralk1d1a61t7t4525fb8m446n2a2v4br5@4ax.com>,
    >>Faeandar wrote:
    >>>>|>
    >>>>|> >Can an NFS-mounted directory be NFS re-exported in Linux? There
    >>>>used
    >>>>|> >to be an
    >>>>|> >--re-export option in rpc.nfsd (pre-2001?) but it is no longer
    >>>>there.
    >>>>|>
    >>>>|> I would think not since that could allow you to bypass the security
    >>>>of
    >>>>|> the original export.
    >>>>
    >>>>Eh? Why would it? The export is more-or-less unconditional.
    >>>
    >>>Lets say the mounting Linux host mentioned is hostA, and it's
    >>>re-exporting to hostB. If hostB does not have permissions to the
    >>>original mount, it does now through hostA.

    >>
    >>So? That allows hostB to do precisely nothing that it can't do by
    >>issuing a remote shell command to hostA to access the file system.
    >>
    >>
    >>Regards,
    >>Nick Maclaren.

    >
    > but what if hostB has no rsh capabilities to hostA? Happens all the
    > time. We restrict login access to hosts but allow nfs access to
    > specific file systems. Specific example:
    >
    > Source_hostA exports only to admin_hostA. Admin_hostA has restricted
    > login permissions so that only admins get login. Someone, for some
    > reason (maybe they got passed over for promotion and are planning on
    > leaving anyway), re-exports that file system to the world.
    >
    > We call that "bad".
    >
    > ~F


    So someone that got passed over for promotion decided to
    re-export the NFS filesystem to another host and thus
    opens up the filesystem to many other systems. Ok...
    but that someone had the "ROOT" password at some
    point.

    -rw-r--r-- 1 root root 18 May 4 2004 /etc/exports

    Given that you have an angry user that happens to
    have ROOT access, why didn't he just dd if=/dev/null
    of=/dev/root bs=8k count=99999999999999, put it
    in a crontab, and have it fire several months later :-)
    When the new administrator arrives (now that the other
    guy has been fired) it would seem prudent for this
    person to conduct an audit for a few things like:
    Setuid (root) shells,
    Cron jobs that look evil.
    Email forwarding agents, that shouldn't be there.
    Backdoors in firewalls.
    Netstat and look for open listeners that one can not explain.
    and so on....

    Believe me, the LEAST thing to worry about is a re-export,
    you've got much bigger issues if you have un-trustworthy person,
    with root access, on the loose.

    If you see this happening:
    Change the root password on all systems immediately.
    Check the logs, see who logged in as root last, and from where.
    Check who used 'su' around the time that /etc/exports was last
    updated.
    Conduct an audit of the system that was altered, looking for other
    activities.

    Enjoy
    Postmaster



  10. Re: NFS re-export

    On Tue, 11 Oct 2005 03:59:44 GMT, "Postmaster"
    wrote:

    >
    >"Faeandar" wrote in message
    >news:i84mk1h6tq5seh4e28am1t7nv3euv224hs@4ax.com...
    >> On 10 Oct 2005 18:35:38 GMT, nmm1@cus.cam.ac.uk (Nick Maclaren) wrote:
    >>
    >>>In article <1ralk1d1a61t7t4525fb8m446n2a2v4br5@4ax.com>,
    >>>Faeandar wrote:
    >>>>>|>
    >>>>>|> >Can an NFS-mounted directory be NFS re-exported in Linux? There
    >>>>>used
    >>>>>|> >to be an
    >>>>>|> >--re-export option in rpc.nfsd (pre-2001?) but it is no longer
    >>>>>there.
    >>>>>|>
    >>>>>|> I would think not since that could allow you to bypass the security
    >>>>>of
    >>>>>|> the original export.
    >>>>>
    >>>>>Eh? Why would it? The export is more-or-less unconditional.
    >>>>
    >>>>Lets say the mounting Linux host mentioned is hostA, and it's
    >>>>re-exporting to hostB. If hostB does not have permissions to the
    >>>>original mount, it does now through hostA.
    >>>
    >>>So? That allows hostB to do precisely nothing that it can't do by
    >>>issuing a remote shell command to hostA to access the file system.
    >>>
    >>>
    >>>Regards,
    >>>Nick Maclaren.

    >>
    >> but what if hostB has no rsh capabilities to hostA? Happens all the
    >> time. We restrict login access to hosts but allow nfs access to
    >> specific file systems. Specific example:
    >>
    >> Source_hostA exports only to admin_hostA. Admin_hostA has restricted
    >> login permissions so that only admins get login. Someone, for some
    >> reason (maybe they got passed over for promotion and are planning on
    >> leaving anyway), re-exports that file system to the world.
    >>
    >> We call that "bad".
    >>
    >> ~F

    >
    > So someone that got passed over for promotion decided to
    > re-export the NFS filesystem to another host and thus
    > opens up the filesystem to many other systems. Ok...
    > but that someone had the "ROOT" password at some
    > point.
    >
    > -rw-r--r-- 1 root root 18 May 4 2004 /etc/exports
    >
    > Given that you have an angry user that happens to
    > have ROOT access, why didn't he just dd if=/dev/null
    > of=/dev/root bs=8k count=99999999999999, put it
    > in a crontab, and have it fire several months later :-)
    > When the new administrator arrives (now that the other
    > guy has been fired) it would seem prudent for this
    > person to conduct an audit for a few things like:
    > Setuid (root) shells,
    > Cron jobs that look evil.
    > Email forwarding agents, that shouldn't be there.
    > Backdoors in firewalls.
    > Netstat and look for open listeners that one can not explain.
    > and so on....
    >
    > Believe me, the LEAST thing to worry about is a re-export,
    > you've got much bigger issues if you have un-trustworthy person,
    > with root access, on the loose.
    >
    > If you see this happening:
    > Change the root password on all systems immediately.
    > Check the logs, see who logged in as root last, and from where.
    > Check who used 'su' around the time that /etc/exports was last
    >updated.
    > Conduct an audit of the system that was altered, looking for other
    > activities.
    >
    >Enjoy
    >Postmaster
    >


    All of that, while true, is not the point. Many places have delegated
    administration for different hosts of business units or whatever.
    Admins from one bu don't have rsh/ssh access to hosts from another.
    So if a file system is exported to a host in a different bu the admin
    for the destination can re-export it elsewhere that maybe they
    shouldn't, whether they are aware of it or not.

    Point is, re-exporting is a way around the original restrictions.
    That is why it's not there anymore. The fact that pretty much all of
    the ways to make it happen require root or sudo is not the point.
    With all the myriad companies and the myriad ways they do things there
    are likely many many scenarios where this is possible, with or without
    intent.

    ~F

  11. Re: NFS re-export


    In article <7mmnk1hjaj8i64upiq6ulku15225bietgm@4ax.com>,
    Faeandar writes:
    |>
    |> All of that, while true, is not the point. Many places have delegated
    |> administration for different hosts of business units or whatever.

    That is true.

    |> Admins from one bu don't have rsh/ssh access to hosts from another.

    That isn't. If a system administrator can export a filing system,
    he can set up a rshd/sshd. Also, in sane environments, allowing
    UNPRIVILEGED rsh/ssh is more common than allowing NFS.

    |> So if a file system is exported to a host in a different bu the admin
    |> for the destination can re-export it elsewhere that maybe they
    |> shouldn't, whether they are aware of it or not.

    Ditto setting up rshd/sshd.

    |> Point is, re-exporting is a way around the original restrictions.
    |> That is why it's not there anymore.

    That is not true. It is a facility that many of us would like to
    use (and I have cases where it would be secure and useful), but
    the reason that it is not supported is that it doesn't work, and
    is almost impossible to make work. The NFS protocol isn't suitable
    for such use, because of consistency issues - not security ones.


    Regards,
    Nick Maclaren.

  12. Re: NFS re-export


    "Faeandar" wrote in message
    news:7mmnk1hjaj8i64upiq6ulku15225bietgm@4ax.com...
    > On Tue, 11 Oct 2005 03:59:44 GMT, "Postmaster"
    > wrote:
    >
    >>
    >>"Faeandar" wrote in message
    >>news:i84mk1h6tq5seh4e28am1t7nv3euv224hs@4ax.com...
    >>> On 10 Oct 2005 18:35:38 GMT, nmm1@cus.cam.ac.uk (Nick Maclaren) wrote:
    >>>
    >>>>In article <1ralk1d1a61t7t4525fb8m446n2a2v4br5@4ax.com>,
    >>>>Faeandar wrote:
    >>>>>>|>
    >>>>>>|> >Can an NFS-mounted directory be NFS re-exported in Linux? There
    >>>>>>used
    >>>>>>|> >to be an
    >>>>>>|> >--re-export option in rpc.nfsd (pre-2001?) but it is no longer
    >>>>>>there.
    >>>>>>|>
    >>>>>>|> I would think not since that could allow you to bypass the security
    >>>>>>of
    >>>>>>|> the original export.
    >>>>>>
    >>>>>>Eh? Why would it? The export is more-or-less unconditional.
    >>>>>
    >>>>>Lets say the mounting Linux host mentioned is hostA, and it's
    >>>>>re-exporting to hostB. If hostB does not have permissions to the
    >>>>>original mount, it does now through hostA.
    >>>>
    >>>>So? That allows hostB to do precisely nothing that it can't do by
    >>>>issuing a remote shell command to hostA to access the file system.
    >>>>
    >>>>
    >>>>Regards,
    >>>>Nick Maclaren.
    >>>
    >>> but what if hostB has no rsh capabilities to hostA? Happens all the
    >>> time. We restrict login access to hosts but allow nfs access to
    >>> specific file systems. Specific example:
    >>>
    >>> Source_hostA exports only to admin_hostA. Admin_hostA has restricted
    >>> login permissions so that only admins get login. Someone, for some
    >>> reason (maybe they got passed over for promotion and are planning on
    >>> leaving anyway), re-exports that file system to the world.
    >>>
    >>> We call that "bad".
    >>>
    >>> ~F

    >>
    >> So someone that got passed over for promotion decided to
    >> re-export the NFS filesystem to another host and thus
    >> opens up the filesystem to many other systems. Ok...
    >> but that someone had the "ROOT" password at some
    >> point.
    >>
    >> -rw-r--r-- 1 root root 18 May 4 2004
    >> /etc/exports
    >>
    >> Given that you have an angry user that happens to
    >> have ROOT access, why didn't he just dd if=/dev/null
    >> of=/dev/root bs=8k count=99999999999999, put it
    >> in a crontab, and have it fire several months later :-)
    >> When the new administrator arrives (now that the other
    >> guy has been fired) it would seem prudent for this
    >> person to conduct an audit for a few things like:
    >> Setuid (root) shells,
    >> Cron jobs that look evil.
    >> Email forwarding agents, that shouldn't be there.
    >> Backdoors in firewalls.
    >> Netstat and look for open listeners that one can not explain.
    >> and so on....
    >>
    >> Believe me, the LEAST thing to worry about is a re-export,
    >> you've got much bigger issues if you have un-trustworthy person,
    >> with root access, on the loose.
    >>
    >> If you see this happening:
    >> Change the root password on all systems immediately.
    >> Check the logs, see who logged in as root last, and from where.
    >> Check who used 'su' around the time that /etc/exports was last
    >>updated.
    >> Conduct an audit of the system that was altered, looking for other
    >> activities.
    >>
    >>Enjoy
    >>Postmaster
    >>

    >
    > All of that, while true, is not the point. Many places have delegated
    > administration for different hosts of business units or whatever.
    > Admins from one bu don't have rsh/ssh access to hosts from another.
    > So if a file system is exported to a host in a different bu the admin
    > for the destination can re-export it elsewhere that maybe they
    > shouldn't, whether they are aware of it or not.
    >
    > Point is, re-exporting is a way around the original restrictions.
    > That is why it's not there anymore. The fact that pretty much all of
    > the ways to make it happen require root or sudo is not the point.
    > With all the myriad companies and the myriad ways they do things there
    > are likely many many scenarios where this is possible, with or without
    > intent.
    >
    > ~F


    Logic:

    Admin of server "A" explicitly exports filesystem to "B".
    Admin of "A" must have root access to do this.
    Admin of "B" must have root access to mount this.

    Admin of "B" re-exports filesystem. (and should not have)
    Your conclusion: Let's blame the tools ????

    What if Admin of "B" didn't re-export the filesystem but
    granted logins to "B" ?
    What if Admin of "B" didn't re-export the filesystem but
    granted telnet, or ssh, or ftp, or rcp, or uucp, or scp,
    access to "B" ?

    Conclusion: If the Admin of "B" has root, and decides
    to do something that the admin of "A" doesn't like,
    then the problem is the admin of "B", not the tools.

    One can not solve sociological issues with technology.

    Enjoy,
    Postmaster




  13. Re: NFS re-export

    On 11 Oct 2005 15:51:09 GMT, nmm1@cus.cam.ac.uk (Nick Maclaren) wrote:

    >
    >In article <7mmnk1hjaj8i64upiq6ulku15225bietgm@4ax.com>,
    >Faeandar writes:
    >|>
    >|> All of that, while true, is not the point. Many places have delegated
    >|> administration for different hosts of business units or whatever.
    >
    >That is true.
    >
    >|> Admins from one bu don't have rsh/ssh access to hosts from another.
    >
    >That isn't. If a system administrator can export a filing system,
    >he can set up a rshd/sshd. Also, in sane environments, allowing
    >UNPRIVILEGED rsh/ssh is more common than allowing NFS.
    >


    Actually, it can be true. Just because you have root on hostA does
    not mean you can login to hostB. We have many instances of BU
    specific hosts that no one but the bu admins can login to. And the
    other admins do not have rsh or ssh access to them.

    >|> So if a file system is exported to a host in a different bu the admin
    >|> for the destination can re-export it elsewhere that maybe they
    >|> shouldn't, whether they are aware of it or not.
    >
    >Ditto setting up rshd/sshd.


    not true. You'd have to have root on the source to do this, we're
    talking about admins with root on the destination. They cannot setup
    rshd or sshd on the source without prior access.

    >
    >|> Point is, re-exporting is a way around the original restrictions.
    >|> That is why it's not there anymore.
    >
    >That is not true. It is a facility that many of us would like to
    >use (and I have cases where it would be secure and useful), but
    >the reason that it is not supported is that it doesn't work, and
    >is almost impossible to make work. The NFS protocol isn't suitable
    >for such use, because of consistency issues - not security ones.


    This may be the case, personally I never used the re-export option so
    I have no idea if it's broken. my only point was that it could be
    used to get around source restrictions.

    ~F

    >
    >
    >Regards,
    >Nick Maclaren.



  14. Re: NFS re-export

    On Tue, 11 Oct 2005 16:01:29 GMT, "Postmaster"
    wrote:

    >
    >"Faeandar" wrote in message
    >news:7mmnk1hjaj8i64upiq6ulku15225bietgm@4ax.com...
    >> On Tue, 11 Oct 2005 03:59:44 GMT, "Postmaster"
    >> wrote:
    >>
    >>>
    >>>"Faeandar" wrote in message
    >>>news:i84mk1h6tq5seh4e28am1t7nv3euv224hs@4ax.com...
    >>>> On 10 Oct 2005 18:35:38 GMT, nmm1@cus.cam.ac.uk (Nick Maclaren) wrote:
    >>>>
    >>>>>In article <1ralk1d1a61t7t4525fb8m446n2a2v4br5@4ax.com>,
    >>>>>Faeandar wrote:
    >>>>>>>|>
    >>>>>>>|> >Can an NFS-mounted directory be NFS re-exported in Linux? There
    >>>>>>>used
    >>>>>>>|> >to be an
    >>>>>>>|> >--re-export option in rpc.nfsd (pre-2001?) but it is no longer
    >>>>>>>there.
    >>>>>>>|>
    >>>>>>>|> I would think not since that could allow you to bypass the security
    >>>>>>>of
    >>>>>>>|> the original export.
    >>>>>>>
    >>>>>>>Eh? Why would it? The export is more-or-less unconditional.
    >>>>>>
    >>>>>>Lets say the mounting Linux host mentioned is hostA, and it's
    >>>>>>re-exporting to hostB. If hostB does not have permissions to the
    >>>>>>original mount, it does now through hostA.
    >>>>>
    >>>>>So? That allows hostB to do precisely nothing that it can't do by
    >>>>>issuing a remote shell command to hostA to access the file system.
    >>>>>
    >>>>>
    >>>>>Regards,
    >>>>>Nick Maclaren.
    >>>>
    >>>> but what if hostB has no rsh capabilities to hostA? Happens all the
    >>>> time. We restrict login access to hosts but allow nfs access to
    >>>> specific file systems. Specific example:
    >>>>
    >>>> Source_hostA exports only to admin_hostA. Admin_hostA has restricted
    >>>> login permissions so that only admins get login. Someone, for some
    >>>> reason (maybe they got passed over for promotion and are planning on
    >>>> leaving anyway), re-exports that file system to the world.
    >>>>
    >>>> We call that "bad".
    >>>>
    >>>> ~F
    >>>
    >>> So someone that got passed over for promotion decided to
    >>> re-export the NFS filesystem to another host and thus
    >>> opens up the filesystem to many other systems. Ok...
    >>> but that someone had the "ROOT" password at some
    >>> point.
    >>>
    >>> -rw-r--r-- 1 root root 18 May 4 2004
    >>> /etc/exports
    >>>
    >>> Given that you have an angry user that happens to
    >>> have ROOT access, why didn't he just dd if=/dev/null
    >>> of=/dev/root bs=8k count=99999999999999, put it
    >>> in a crontab, and have it fire several months later :-)
    >>> When the new administrator arrives (now that the other
    >>> guy has been fired) it would seem prudent for this
    >>> person to conduct an audit for a few things like:
    >>> Setuid (root) shells,
    >>> Cron jobs that look evil.
    >>> Email forwarding agents, that shouldn't be there.
    >>> Backdoors in firewalls.
    >>> Netstat and look for open listeners that one can not explain.
    >>> and so on....
    >>>
    >>> Believe me, the LEAST thing to worry about is a re-export,
    >>> you've got much bigger issues if you have un-trustworthy person,
    >>> with root access, on the loose.
    >>>
    >>> If you see this happening:
    >>> Change the root password on all systems immediately.
    >>> Check the logs, see who logged in as root last, and from where.
    >>> Check who used 'su' around the time that /etc/exports was last
    >>>updated.
    >>> Conduct an audit of the system that was altered, looking for other
    >>> activities.
    >>>
    >>>Enjoy
    >>>Postmaster
    >>>

    >>
    >> All of that, while true, is not the point. Many places have delegated
    >> administration for different hosts of business units or whatever.
    >> Admins from one bu don't have rsh/ssh access to hosts from another.
    >> So if a file system is exported to a host in a different bu the admin
    >> for the destination can re-export it elsewhere that maybe they
    >> shouldn't, whether they are aware of it or not.
    >>
    >> Point is, re-exporting is a way around the original restrictions.
    >> That is why it's not there anymore. The fact that pretty much all of
    >> the ways to make it happen require root or sudo is not the point.
    >> With all the myriad companies and the myriad ways they do things there
    >> are likely many many scenarios where this is possible, with or without
    >> intent.
    >>
    >> ~F

    >
    >Logic:
    >
    > Admin of server "A" explicitly exports filesystem to "B".
    > Admin of "A" must have root access to do this.
    > Admin of "B" must have root access to mount this.
    >
    > Admin of "B" re-exports filesystem. (and should not have)
    > Your conclusion: Let's blame the tools ????


    It's not an issue of blame, it's a matter of fact. It can be done and
    likely has been done numerous times. I am not blaming anything,
    merely making a point.

    >
    > What if Admin of "B" didn't re-export the filesystem but
    > granted logins to "B" ?
    > What if Admin of "B" didn't re-export the filesystem but
    > granted telnet, or ssh, or ftp, or rcp, or uucp, or scp,
    > access to "B" ?
    >
    > Conclusion: If the Admin of "B" has root, and decides
    > to do something that the admin of "A" doesn't like,
    > then the problem is the admin of "B", not the tools.


    I don't disagree, I'm merely pointing out that re-export can
    circumvent source restrictions.

    >
    > One can not solve sociological issues with technology.


    I would disgree with that as a blanket statement but in this case I
    can't argue.

    ~F

    >
    >Enjoy,
    >Postmaster
    >
    >



  15. Re: NFS re-export

    In article ,
    Faeandar wrote:
    >>
    >>That isn't. If a system administrator can export a filing system,
    >>he can set up a rshd/sshd. Also, in sane environments, allowing
    >>UNPRIVILEGED rsh/ssh is more common than allowing NFS.

    >
    >Actually, it can be true. Just because you have root on hostA does
    >not mean you can login to hostB. We have many instances of BU
    >specific hosts that no one but the bu admins can login to. And the
    >other admins do not have rsh or ssh access to them.


    Please reread what I said. I am talking about the administrator
    of the intermediate system. He needs root to export via NFS, he
    needs root to set up a rshd/sshd, and either can be done by accident.

    I was not talking about setting up rshd/sshd on the original server,
    but one the intermediate one. And setting up those in the intermediate
    server allows the export of ALL of the file access facilities that the
    incoming NFS connexion gives him.

    >>|> So if a file system is exported to a host in a different bu the admin
    >>|> for the destination can re-export it elsewhere that maybe they
    >>|> shouldn't, whether they are aware of it or not.
    >>
    >>Ditto setting up rshd/sshd.

    >
    >not true. You'd have to have root on the source to do this, we're
    >talking about admins with root on the destination. They cannot setup
    >rshd or sshd on the source without prior access.


    See above. You haven't thought of all of the options.

    Nor can they set up a NFS export.

    >>|> Point is, re-exporting is a way around the original restrictions.
    >>|> That is why it's not there anymore.
    >>
    >>That is not true. It is a facility that many of us would like to
    >>use (and I have cases where it would be secure and useful), but
    >>the reason that it is not supported is that it doesn't work, and
    >>is almost impossible to make work. The NFS protocol isn't suitable
    >>for such use, because of consistency issues - not security ones.

    >
    >This may be the case, personally I never used the re-export option so
    >I have no idea if it's broken. my only point was that it could be
    >used to get around source restrictions.


    As I said, so can rshd/sshd. And the reason for its removal is as
    I said, nothing to do with either real or imaginary security.


    Regards,
    Nick Maclaren.

  16. Re: NFS re-export

    On 11 Oct 2005 18:08:45 GMT, nmm1@cus.cam.ac.uk (Nick Maclaren) wrote:

    >In article ,
    >Faeandar wrote:
    >>>
    >>>That isn't. If a system administrator can export a filing system,
    >>>he can set up a rshd/sshd. Also, in sane environments, allowing
    >>>UNPRIVILEGED rsh/ssh is more common than allowing NFS.

    >>
    >>Actually, it can be true. Just because you have root on hostA does
    >>not mean you can login to hostB. We have many instances of BU
    >>specific hosts that no one but the bu admins can login to. And the
    >>other admins do not have rsh or ssh access to them.

    >
    >Please reread what I said. I am talking about the administrator
    >of the intermediate system. He needs root to export via NFS, he
    >needs root to set up a rshd/sshd, and either can be done by accident.
    >
    >I was not talking about setting up rshd/sshd on the original server,
    >but one the intermediate one. And setting up those in the intermediate
    >server allows the export of ALL of the file access facilities that the
    >incoming NFS connexion gives him.


    I understand what you said but perhaps I wasn't clear on my response.
    AdminA exports FSA with restrictions that only hostB can write to it,
    adminB mounts hostA:FSA on hostB:FSB, . Maybe the rest of the world
    has read, maybe not. Makes no difference for this instance.

    AdminB then re-exports FSB to the world with write permissions. The
    world now has write permissions to hostA:FSA through hostB:FSB,
    regardless of the export restrictions hostA used.

    Now, to say adminB can also allow world to login or rsh/ssh is true.
    But it's also possible that someone (namely the admin but could be
    anyone) does not have root but instead has sudo, common practice in
    most larger installations. That sudo priviledge may extend to
    mounting and exporting but not to editing. So adminB has sudo access
    to hostB with mount and export capability but not file edit.

    I'm not saying re-exporting is the only way around export security,
    nor that it's necessarily likely, just that it can happen. There are
    many places where non-senior admins have sudo only and not root. In
    those cases something like this is possible, however unlikely.

    For a root admin it is certainly easy enough to circumvent any/all of
    the host security in place, but re-export allows for the possibility
    of a non-root admin to do so as well.

    Again, I'm not saying it's likely. Merely stating it's possible. A
    point most want to say is not, this is why I argue.

    >
    >>>|> So if a file system is exported to a host in a different bu the admin
    >>>|> for the destination can re-export it elsewhere that maybe they
    >>>|> shouldn't, whether they are aware of it or not.
    >>>
    >>>Ditto setting up rshd/sshd.

    >>
    >>not true. You'd have to have root on the source to do this, we're
    >>talking about admins with root on the destination. They cannot setup
    >>rshd or sshd on the source without prior access.

    >
    >See above. You haven't thought of all of the options.
    >
    >Nor can they set up a NFS export.
    >
    >>>|> Point is, re-exporting is a way around the original restrictions.
    >>>|> That is why it's not there anymore.
    >>>
    >>>That is not true. It is a facility that many of us would like to
    >>>use (and I have cases where it would be secure and useful), but
    >>>the reason that it is not supported is that it doesn't work, and
    >>>is almost impossible to make work. The NFS protocol isn't suitable
    >>>for such use, because of consistency issues - not security ones.

    >>
    >>This may be the case, personally I never used the re-export option so
    >>I have no idea if it's broken. my only point was that it could be
    >>used to get around source restrictions.

    >
    >As I said, so can rshd/sshd. And the reason for its removal is as
    >I said, nothing to do with either real or imaginary security.


    I never argued the reason it was removed.

    ~F

  17. Re: NFS re-export

    In article ,
    Faeandar wrote:
    >
    >Now, to say adminB can also allow world to login or rsh/ssh is true.
    >But it's also possible that someone (namely the admin but could be
    >anyone) does not have root but instead has sudo, common practice in
    >most larger installations. That sudo priviledge may extend to
    >mounting and exporting but not to editing. So adminB has sudo access
    >to hostB with mount and export capability but not file edit.


    And it is equally possible for that privilege to extend to starting
    rshd/sshd but not exporting. In any case, the solution is simple.
    Fix the broken sudo configuration.

    If you want to use sudo to allow the export of local file systems
    only, that isn't hard to do. I would strongly suggest that you
    don't allow it to export root access to the root file system, but
    who am I to stop you shooting yourself in the foot?


    Regards,
    Nick Maclaren.

  18. Re: NFS re-export

    Faeandar wrote:

    (snip)

    > Lets say the mounting Linux host mentioned is hostA, and it's
    > re-exporting to hostB. If hostB does not have permissions to the
    > original mount, it does now through hostA.


    Only export to trusted hosts with trusted admins.

    Especially don't export with root access.

    If the admin of hostA can export he can do many other things
    to compromise the security of the NFS mount data, even
    without root access.

    A user task could host a VPN connection that could allow any
    access granted to that user.

    -- glen


+ Reply to Thread