On NFSv4 suid applications that should only be executable but not readable are still readable until the application is executed for the first time. After the application was executed at least once any attempt to read the suid binary is denied, but any attempt to execute the suid binary is denied, too. NFSv3 works as expected. This prevents NFSv4 usage for any mount that doesn't have a 'nosuid' mount option and in fact is a security problem as unprivileged users can read applications for which they do not have read permission. The NFS server (v3 and v4) is a 64 bit 3.6.2 system. The nfs client shown below is a 32 bit 3.6.2 virtual system (the behaviour of a 64 bit client virtual system running 3.6.2 is identical). Now here the NFSv4 base test just after boot and having logged in via ssh: ========================================================================== admin@evil ~ $ mount rootfs on / type rootfs (rw) 10.1.9.12:/nfsroot-evil/ on / type nfs4 (rw,noatime,nodiratime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=10.1.9.25,local_lock=none,addr=10.1.9.12) none on /dev type devtmpfs (rw,relatime,size=1036672k,nr_inodes=221377,mode=755) none on /proc type proc (rw,noatime,nodiratime) tmpfs on /run type tmpfs (rw,nosuid,nodev,relatime,mode=755) none on /sys type sysfs (rw,noatime,nodiratime) debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime) cgroup_root on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,relatime,size=10240k,mode=755) openrc on /sys/fs/cgroup/openrc type cgroup (rw,nosuid,nodev,noexec,relatime,release_agent=/lib/rc/sh/cgroup-release-agent.sh,name=openrc) cpuset on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset) cpu on /sys/fs/cgroup/cpu type cgroup (rw,nosuid,nodev,noexec,relatime,cpu) cpuacct on /sys/fs/cgroup/cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct) freezer on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer) none on /dev/pts type devpts (rw,noatime,nodiratime,mode=600) none on /dev/shm type tmpfs (rw,noatime,nodiratime) rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) admin@evil ~ $ ls -l /bin/su -rws--x--x 1 root root 35088 Jul 20 22:49 /bin/su admin@evil ~ $ id uid=61(admin) gid=100(users) groups=100(users),10(wheel) admin@evil ~ $ su - Password: evil ~ # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video) evil ~ # exit logout admin@evil ~ $ cat /bin/su cat: /bin/su: Permission denied admin@evil ~ $ su - -bash: /bin/su: Permission denied admin@evil ~ $ Then another NFSv4 test again logged in just after boot with ssh: ================================================================= admin@evil ~ $ cat /bin/su > /dev/null admin@evil ~ $ ls -l /bin/su -rws--x--x 1 root root 35088 Jul 20 22:49 /bin/su admin@evil ~ $ cat /bin/su > /dev/null admin@evil ~ $ ls -l /bin/su -rws--x--x 1 root root 35088 Jul 20 22:49 /bin/su admin@evil ~ $ cat /bin/su > /dev/null admin@evil ~ $ su - Password: evil ~ # exit logout admin@evil ~ $ cat /bin/su > /dev/null cat: /bin/su: Permission denied admin@evil ~ $ su - -bash: /bin/su: Permission denied admin@evil ~ $ For reference same system booted with NFSv3, and just logged in after boot: =========================================================================== rootfs on / type rootfs (rw) 10.1.9.12:/kvm/evil/nfsroot/ on / type nfs (rw,relatime,vers=3,rsize=8192,wsize=8192,namlen=255,hard,nolock,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=10.1.9.12,mountvers=3,mountproto=tcp,local_lock=all,addr=10.1.9.12) devtmpfs on /dev type devtmpfs (rw,relatime,size=1037204k,nr_inodes=221642,mode=755) none on /proc type proc (rw,noatime,nodiratime) tmpfs on /run type tmpfs (rw,nosuid,nodev,relatime,mode=755) none on /sys type sysfs (rw,noatime,nodiratime) debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime) cgroup_root on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,relatime,size=10240k,mode=755) openrc on /sys/fs/cgroup/openrc type cgroup (rw,nosuid,nodev,noexec,relatime,release_agent=/lib/rc/sh/cgroup-release-agent.sh,name=openrc) cpuset on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset) cpu on /sys/fs/cgroup/cpu type cgroup (rw,nosuid,nodev,noexec,relatime,cpu) cpuacct on /sys/fs/cgroup/cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct) freezer on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer) none on /dev/pts type devpts (rw,noatime,nodiratime,mode=600) none on /dev/shm type tmpfs (rw,noatime,nodiratime) rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) admin@evil ~ $ ls -l /bin/su -rws--x--x 1 root root 35088 Jul 20 22:49 /bin/su admin@evil ~ $ cat /bin/su cat: /bin/su: Permission denied admin@evil ~ $ su - Password: evil ~ # exit logout admin@evil ~ $
Please try 3.7-rc1. The following changesets should provide a fix for this problem: commit 6168f62cb (NFSv4: Add ACCESS operation to OPEN compound), commit bbd3a8eee (NFSv4: don't check MAY_WRITE access bit in OPEN) commit ae2bb0323 (NFSv4: don't put ACCESS in OPEN compound if O_EXCL)
With 3.7-rc1 running on both NVSv4 client and server the problem has shifted a bit: suid execute only applications can't be executed anymore when this should be possible (see below): NVFv4 client just after boot: ============================= admin@evil ~ $ mount 10.1.9.12:/nfsroot-evil/ on / type nfs4 (rw,noatime,nodiratime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=10.1.9.25,local_lock=none,addr=10.1.9.12) none on /dev type devtmpfs (rw,relatime,size=1036636k,nr_inodes=221359,mode=755) none on /proc type proc (rw,noatime,nodiratime) tmpfs on /run type tmpfs (rw,nosuid,nodev,relatime,mode=755) none on /sys type sysfs (rw,noatime,nodiratime) cgroup_root on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,relatime,size=10240k,mode=755) openrc on /sys/fs/cgroup/openrc type cgroup (rw,nosuid,nodev,noexec,relatime,release_agent=/lib/rc/sh/cgroup-release-agent.sh,name=openrc) cpuset on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset) cpu on /sys/fs/cgroup/cpu type cgroup (rw,nosuid,nodev,noexec,relatime,cpu) cpuacct on /sys/fs/cgroup/cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct) freezer on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer) none on /dev/pts type devpts (rw,noatime,nodiratime,mode=600) none on /dev/shm type tmpfs (rw,noatime,nodiratime) /etc/autofs/auto.lan on /autofs/lan type autofs (rw,relatime,fd=6,pgrp=1898,timeout=60,minproto=5,maxproto=5,indirect) rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime) admin@evil ~ $ ls -l /bin/su -rws--x--x 1 root root 35088 Jul 20 22:49 /bin/su admin@evil ~ $ su - -bash: /bin/su: Permission denied admin@evil ~ $ cat /bin/su cat: /bin/su: Permission denied admin@evil ~ $
OK... Will look into this.
Created attachment 90331 [details] NFS: Fix access to suid/sgid executables Please could you test the following patch.
A patch referencing this bug report has been merged in Linux v3.8-rc3: commit f8d9a897d4384b77f13781ea813156568f68b83e Author: Weston Andros Adamson <dros@netapp.com> Date: Thu Jan 3 16:42:29 2013 -0500 NFS: Fix access to suid/sgid executables