The Unix-Haters handbook page 321

No File Security 289 But Unix still doesn’t let me write my files back out. I poke around a bit and find that the problem is that when your Kerberos privileges expire, nfsauth crashes. OK, so I start up another nfsauth, once again feeding it the names of all the NFS servers I am using. Now I can write my files back out. Well, it turns out that I almost always work for longer than eight hours, so this becomes a bit of a routine. My fellow victims in LCS Unix land assure me that this really is the way it works and that they all just put up with it. Well, I ask, how about at least fixing nfsauth so that instead of crashing, it just hangs around and waits for your new Kerberos privileges to arrive? Sorry, can’t do that. It seems that nobody can locate the sources to nfsauth. The Exports List NFS couldn’t have been marketed if it looked like the system offered no security, so its creators gave it the appearance of security, without going through the formality of implementing a secure protocol. Recall that if you don’t give the NFS server a magic cookie, you can’t scribble on the file. So, the NFS theory goes, by controlling access to the cookies, you control access to the files. To get the magic cookie for the root directory of a file system, you need to mount the file system. And that’s where the idea of “security” comes in. A special file on the server called /etc/exports lists the exported file systems and the computers to which the file systems are allowed to be exported. Unfortunately, nothing prevents a rogue program from guessing magic cookies. In practice, these guesses aren’t very hard to make. Not being in an NFS server’s exports file raises the time to break into a server from a few seconds to a few hours. Not much more, though. And, since the servers are stateless, once a cookie is guessed (or legitimately obtained) it’s good forever. In a typical firewall-protected network environment, NFS’s big security risk isn’t the risk of attack by outsiders—it’s the risk that insiders with authorized access to your file server can use that access to get at your files as well as their own. Since it is stateless, the NFS server has no concept of “logging in.” Oh sure, you’ve logged into your workstation, but the NFS server doesn’t

290 NFS know that. So whenever you send a magic cookie to the NFS server, asking it to read or write a file, you also tell the server your user number. Want to read George’s files? Just change your UID to be George’s, and read away. After all, it’s trivial to put most workstations into single-user mode. The nice thing about NFS is that when you compromise the workstation, you’ve compromised the server as well. Don’t want to go through the hassle of booting the workstation in single- user mode? No problem! You can run user-level programs that send requests to an NFS server—and access anybody’s files—just by typing in a 500-line C program or getting a copy from the net archives. But there’s more. Because forging packets is so simple, many NFS servers are configured to prevent superuser across the network. Any requests for superuser on the network are automatically mapped to the “nobody” user, which has no privileges. Because of this situation, the superuser has fewer privileges on NFS work- stations than non-superuser users have. If you are logged in as superuser, there is no easy way for you to regain your privilege—no program you can run, no password you can type. If you want to modify a file on the server that is owned by root and the file is read-only, you must log onto the server—unless, of course, you patch the server’s operating system to elim- inate security. Ian Horswill summed it all up in December 1990 in response to a question posed by a person who was trying to run the SUID mail deliv- ery program /bin/mail on one computer but have the mail files in /usr/ spool/mail on another computer, mounted via NFS. Date: Fri, 7 Dec 90 12:48:50 EST From: “Ian D. Horswill” ian@ai.mit.edu To: UNIX-HATERS Subject: Computational Cosmology, and the Theology of Unix It works like this. Sun has this spiffy network file system. Unfortu- nately, it doesn’t have any real theory of access control. This is partly because Unix doesn't have one either. It has two levels: mortal and God. God (i.e., root) can do anything. The problem is that networks make things polytheistic: Should my workstation’s God be able to turn your workstation into a pillar of salt? Well gee, that depends on whether my God and your God are on good terms or maybe are really just the SAME God. This is a deep and important theological ques- tion that has puzzled humankind for millennia.

Previous Page Next Page

The Unix-Haters handbook Page 321 (321 of 360)

The Unix-Haters handbook resources

Help