On Sat, Oct 9, 2010 at 6:39 AM, Nico Kadel-Garcia <nkadel_at_gmail.com> wrote:
> Second, many working environments in the UNIX world rely on NFS based
> home directoies, to share working environments and configurations
> across a variety of machines. In such environments, *any* host that
> can be leveraged to local root access can "su" or "suco" to become the
> target user, and access their entire home directory.
>
> Think I'm kidding? Walk into any university environment: plug in a
> live Linux CD. Run an "nmap" scan for hosts running NFS. Run
> "showmount" to detect what NFS shares are published to everyone. Go
> ahead and mount the shares. Look in them for home directoriies. Look
> in them, using your local root privileges, for Subversion passphrases.
> (Look for CVS passphrases and un-passphrase-protected SSH keys while
> you're at it.)
This is why running public-facing NFS servers using auth_sys and
no_root_squash is a BAD idea. If this is happening at your site, you
have much more serious things to worry about than subversion passwords
being stolen. For example, in your scenario it would be trivial to
create an suid-root shell binary, which a local user could then run
and gain root privileges.
--
David Brodbeck
System Administrator, Linguistics
University of Washington
Received on 2010-10-14 20:07:01 CEST