On Tue, Aug 13, 2013 at 12:47:14AM +0000, Parisi, Justin wrote:
As I mentioned in the previous email, I filed a bug to set that option to enabled by default for both modes.
However, having it set to disabled doesn't mean that any user can access a filesystem. Those options are kind of misnomers - they're actually removing the limit on port ranges for privileged ports. When they are set to "on" then you are only allowed a set range of ports to access NFS and mount with. (1-1024)
Yes, and this is the point. It means the user on the client is privilaged, normally root. If you allow NFS from non-privilaged ports then all bets are off as to who is accessing the filesystem. I can impersonate any user, effectively bypassing any filesystem permissions. It works great, we tried it.
They really don't have anything to do with the user that is mounting. Users can't mount from Linux clients by default. You have to configure the client to allow it. And users can mount via privileged ports. The non-privileged ports are specified at mount.
They do not need access to mount the filesystem on the client to access the filesystem on the netapp so any security on the mount system call is moot. See below.
The port behavior is still controlled by the client. If you don't want non-privileged ports, then don't allow them on the client. :)
Consider this scenario. I have a machine that users can SSH to. The machine, like any normal host, allows unprivilaged processes to make outbound IP connections. The home directories are mounted from a netapp filer. The user establishes port forwarding from SSH, then mounts the filesystem from the netapp on their home machine. The netapp sees NFS connections from the host and allows NFS as per normal. The actual NFS traffic is being generated from the users home desktop and port forwarded by SSH.
Note this is not an SSH security issue, the user could just as easily run a NFS client process locally. SSH just makes it easy.
Without the restriction on privilages ports, any user can impersonate any other user in the NFS filesystem.
Regards, pdg