Bug 49101

Summary: NFSv4 still broken for suid applications
Product: File System Reporter: Andreas Steinmetz (ast)
Component: NFSAssignee: Trond Myklebust (trondmy)
Status: CLOSED CODE_FIX    
Severity: normal CC: alan, florian
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 3.6.2 Subsystem:
Regression: No Bisected commit-id:
Attachments: NFS: Fix access to suid/sgid executables

Description Andreas Steinmetz 2012-10-19 16:14:35 UTC 
On NFSv4 suid applications that should only be executable but not readable are still readable until the application is executed for the first time.
After the application was executed at least once any attempt to read the suid binary is denied, but any attempt to execute the suid binary is denied, too.

NFSv3 works as expected.

This prevents NFSv4 usage for any mount that doesn't have a 'nosuid' mount option and in fact is a security problem as unprivileged users can read applications for which they do not have read permission.

The NFS server (v3 and v4) is a 64 bit 3.6.2 system. The nfs client shown below is a 32 bit 3.6.2 virtual system (the behaviour of a 64 bit client virtual system running 3.6.2 is identical).

Now here the NFSv4 base test just after boot and having logged in via ssh:
==========================================================================

admin@evil ~ $ mount
rootfs on / type rootfs (rw)
10.1.9.12:/nfsroot-evil/ on / type nfs4 (rw,noatime,nodiratime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=10.1.9.25,local_lock=none,addr=10.1.9.12)
none on /dev type devtmpfs (rw,relatime,size=1036672k,nr_inodes=221377,mode=755)
none on /proc type proc (rw,noatime,nodiratime)
tmpfs on /run type tmpfs (rw,nosuid,nodev,relatime,mode=755)
none on /sys type sysfs (rw,noatime,nodiratime)
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime)
cgroup_root on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,relatime,size=10240k,mode=755)
openrc on /sys/fs/cgroup/openrc type cgroup (rw,nosuid,nodev,noexec,relatime,release_agent=/lib/rc/sh/cgroup-release-agent.sh,name=openrc)
cpuset on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cpu on /sys/fs/cgroup/cpu type cgroup (rw,nosuid,nodev,noexec,relatime,cpu)
cpuacct on /sys/fs/cgroup/cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct)
freezer on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
none on /dev/pts type devpts (rw,noatime,nodiratime,mode=600)
none on /dev/shm type tmpfs (rw,noatime,nodiratime)
rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
admin@evil ~ $ ls -l /bin/su
-rws--x--x 1 root root 35088 Jul 20 22:49 /bin/su
admin@evil ~ $ id  
uid=61(admin) gid=100(users) groups=100(users),10(wheel)
admin@evil ~ $ su -
Password: 
evil ~ # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video)
evil ~ # exit
logout
admin@evil ~ $ cat /bin/su
cat: /bin/su: Permission denied
admin@evil ~ $ su -
-bash: /bin/su: Permission denied
admin@evil ~ $ 


Then another NFSv4 test again logged in just after boot with ssh:
=================================================================

admin@evil ~ $ cat /bin/su > /dev/null
admin@evil ~ $ ls -l /bin/su
-rws--x--x 1 root root 35088 Jul 20 22:49 /bin/su
admin@evil ~ $ cat /bin/su > /dev/null
admin@evil ~ $ ls -l /bin/su
-rws--x--x 1 root root 35088 Jul 20 22:49 /bin/su
admin@evil ~ $ cat /bin/su > /dev/null
admin@evil ~ $ su -
Password: 
evil ~ # exit
logout
admin@evil ~ $ cat /bin/su > /dev/null
cat: /bin/su: Permission denied
admin@evil ~ $ su -
-bash: /bin/su: Permission denied
admin@evil ~ $ 


For reference same system booted with NFSv3, and just logged in after boot:
===========================================================================

rootfs on / type rootfs (rw)
10.1.9.12:/kvm/evil/nfsroot/ on / type nfs (rw,relatime,vers=3,rsize=8192,wsize=8192,namlen=255,hard,nolock,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=10.1.9.12,mountvers=3,mountproto=tcp,local_lock=all,addr=10.1.9.12)
devtmpfs on /dev type devtmpfs (rw,relatime,size=1037204k,nr_inodes=221642,mode=755)
none on /proc type proc (rw,noatime,nodiratime)
tmpfs on /run type tmpfs (rw,nosuid,nodev,relatime,mode=755)
none on /sys type sysfs (rw,noatime,nodiratime)
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime)
cgroup_root on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,relatime,size=10240k,mode=755)
openrc on /sys/fs/cgroup/openrc type cgroup (rw,nosuid,nodev,noexec,relatime,release_agent=/lib/rc/sh/cgroup-release-agent.sh,name=openrc)
cpuset on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cpu on /sys/fs/cgroup/cpu type cgroup (rw,nosuid,nodev,noexec,relatime,cpu)
cpuacct on /sys/fs/cgroup/cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct)
freezer on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
none on /dev/pts type devpts (rw,noatime,nodiratime,mode=600)
none on /dev/shm type tmpfs (rw,noatime,nodiratime)
rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
admin@evil ~ $ ls -l /bin/su
-rws--x--x 1 root root 35088 Jul 20 22:49 /bin/su
admin@evil ~ $ cat /bin/su
cat: /bin/su: Permission denied
admin@evil ~ $ su -
Password: 
evil ~ # exit
logout
admin@evil ~ $
Comment 1 Trond Myklebust 2012-10-19 17:52:47 UTC 
Please try 3.7-rc1.

The following changesets should provide a fix for this problem:

commit 6168f62cb (NFSv4: Add ACCESS operation to OPEN compound),
commit bbd3a8eee (NFSv4: don't check MAY_WRITE access bit in OPEN)
commit ae2bb0323 (NFSv4: don't put ACCESS in OPEN compound if O_EXCL)
Comment 2 Andreas Steinmetz 2012-10-19 20:47:30 UTC 
With 3.7-rc1 running on both NVSv4 client and server the problem has shifted a bit: suid execute only applications can't be executed anymore when this should be possible (see below):

NVFv4 client just after boot:
=============================

admin@evil ~ $ mount
10.1.9.12:/nfsroot-evil/ on / type nfs4 (rw,noatime,nodiratime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=10.1.9.25,local_lock=none,addr=10.1.9.12)
none on /dev type devtmpfs (rw,relatime,size=1036636k,nr_inodes=221359,mode=755)
none on /proc type proc (rw,noatime,nodiratime)
tmpfs on /run type tmpfs (rw,nosuid,nodev,relatime,mode=755)
none on /sys type sysfs (rw,noatime,nodiratime)
cgroup_root on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,relatime,size=10240k,mode=755)
openrc on /sys/fs/cgroup/openrc type cgroup (rw,nosuid,nodev,noexec,relatime,release_agent=/lib/rc/sh/cgroup-release-agent.sh,name=openrc)
cpuset on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cpu on /sys/fs/cgroup/cpu type cgroup (rw,nosuid,nodev,noexec,relatime,cpu)
cpuacct on /sys/fs/cgroup/cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct)
freezer on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
none on /dev/pts type devpts (rw,noatime,nodiratime,mode=600)
none on /dev/shm type tmpfs (rw,noatime,nodiratime)
/etc/autofs/auto.lan on /autofs/lan type autofs (rw,relatime,fd=6,pgrp=1898,timeout=60,minproto=5,maxproto=5,indirect)
rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
admin@evil ~ $ ls -l /bin/su
-rws--x--x 1 root root 35088 Jul 20 22:49 /bin/su
admin@evil ~ $ su -
-bash: /bin/su: Permission denied
admin@evil ~ $ cat /bin/su
cat: /bin/su: Permission denied
admin@evil ~ $
Comment 3 Trond Myklebust 2012-10-19 21:47:02 UTC 
OK... Will look into this.
Comment 4 Trond Myklebust 2013-01-03 21:53:39 UTC 
Created attachment 90331 [details]
NFS: Fix access to suid/sgid executables

Please could you test the following patch.
Comment 5 Florian Mickler 2013-01-11 21:32:52 UTC 
A patch referencing this bug report has been merged in Linux v3.8-rc3:

commit f8d9a897d4384b77f13781ea813156568f68b83e
Author: Weston Andros Adamson <dros@netapp.com>
Date:   Thu Jan 3 16:42:29 2013 -0500

    NFS: Fix access to suid/sgid executables