[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NFS security ...

    Date: Thu, 30 May 1991 06:09-0400
    From: Christopher Stacy <CStacy@STONY-BROOK.SCRC.Symbolics.COM>

	Date: Wed, 29 May 1991 16:38 EDT
	From: buff@pravda.cc.gatech.edu (Richard Billington)
	To: customer-reports@riverside.scrc.symbolics.com, slug@ai.sri.com

	As far as I know, the nfs protocol makes no provision for security, leaving
	that up to the hosts involved. Since the Symbolics has no security, that means
	that someone can login as anyone on a Symbolics and have that anyone's nfs
	mounted files on a "secure" nfs server completely available to them.


    The Symbolics NFS client implements the same security as the UNIX one.

Agreed, see lengthly comments below.

	... (deleted for brevity)

    Like UNIX, the Genera NFS client will not lie about who you are, and it
    makes sure you are who you claim to be by asking for a password and checking
    it against what's in the Yellow Pages.  Of course, you can modify the
    function that does that to just skip that pesky password prompting and
    comparison, and always return T.

I'm not running YP, and I get no password verification. Also, the scheme I'm
proposing would not allow you to just "modify the function ... and always
return T".

    You can also modify the NFS client that runs on your UNIX box, Macintosh,
    IBM or whatever, and thereby access any files on someone's server by simply
    claiming you are them.  It certainly doesn't matter what language it's
    written in, or what operating system is being used.

Hmmm, I think you'd need root access to do this ...

    The only danger from Symbolics systems is that it's generally very easy to
    write computer programs on them, and you have the source code for our NFS
    implementation available to start from, so it all becomes easily tractable. 

As to these last two paragraphs, let's not get so defensive, ok? I don't think
the tone or content of my original note were critical. I just want to know
whether anyone else has already dealt with the problem, and if not what other
opinions are about my scheme (which is not wonderful, I agree, but I think it
would work).

    More notes: 
     1. Under SunOS, I think you can specify the hosts your NFS server will trust.
	Anyone on those hosts is free to claim to be anybody at all on the server.

This is precisely what I was refering to ... see my extensive comments below.

     2. NFS tries not let anyone claim to be "root" (UID 0), and makes them be
	"nobody" (UID -2) instead, to prevent attacks as root.  (That is, security
	is based on the fact that only root's files are of any importance to anybody,
	and then "root" is never allowed any access.)

This is absolutely true, thank god.

	... (remainder of message deleted for brevity)

Sorry, "security" is a broad term, and I meant only a piece of it. By security,
I meant "verifying a user is who he/she says by password". I agree with your
statement above, but NFS does NOT verify user authenticity - it assumes that
the local machine has done so (which Symbolics do not) and the scenario I
sketched out in my original message is true. In fact, if I login as a user who
does not have an account on the server host, I can gain access to ANYONE's
files on that host: 

	Command: Login (user name) foo (keywords) :Init File None
	Command: Show Directory FOOBAR:/u/ai/*
	No UNIX passwd information found for user name "FOO" for host FOOBAR.
	Enter user name for host FOOBAR, or type Return to login anonymously: 

and voila, I've access to any file owned by the username I type in. It does
NOT check my password at this point - but I'm not running YP, either.

I assume this is because, unlike TCP, the protocol doesn't include verifying
the username and password, hence the server allows anyone in. This makes sense
(not to have it in the protocol) if you think about the way NFS is designed to
work in the unix environment; namely, a machine mounts another machine's file
system, and users with accounts on both machines can then access their files
on the remote host as if they're mounted locally once they've logged in to the
local host.

So, I'm not faulting NFS - I understand the level of security it provides and
why it stops where it does - nor am I faulting Symbolics - I BELIEVE you
implemented NFS to the letter. Rather, I am proposing a different protocol
which the Symbolics NFS client could use to force an NFS server to verify that
a user is really who he/she says he/she is. It is a hack. It probably would be
fairly difficult to break, however, because verification and control of what's
exported is left up to the unix host, which is not so easily broken into. If
there's a better, cleaner fix around, please pass it on.

Many thanks for your interest and attention.