Re: netapp meets bugtraq. again. - toasters

29 Apr 1999


      On 04/28/99 22:06:43 you wrote:
...
Ok, so I don't have the docs handy..  but if you have an "-access"
options, it just seems kinda intuitive to me that you might actually
*USE IT*.  But maybe it's just me.
No bug here... that's the way all NFS servers work.  It is a
little non-intuitive but once you know what you're doing there
is no problem.  Changing it for Netapp would create another
kind of security bug where simply copying what you used on
one server wouldn't work on another despite expectations.
The problem lies in the documentation, for not explaining
this more clearly.  The example isn't meant to be taken
literally as something all filer admins should do and thus
would be appropriate for their environment.  It's meant
to be an example.  Elsewhere the docs do explain the
security implications of various options, but it should
probably mention it specifically in the section Pete read,
to prevent other people overreacting like Pete did and
screaming to bugtraq that the sky is falling.
Bruce
...
------- Start of forwarded message (RFC 934 encapsulation) -------
From: pashdown@XMISSION.COM (Pete Ashdown)
Subject: Network Appliance NFS filer root hole
Date: 28 Apr 1999 15:58:45 -0400
Organization: Bugtraq List
Message-ID: 199904281658.KAA14944@slack.xmission.com
Reply-To: Pete Ashdown pashdown@XMISSION.COM
For Network Appliance NFS filer release:
 NetApp Release 5.2.1: Thu Dec 31 12:56:45 PST 1998
Following "Example 1" on page 136 of the "System Administrator's Guide" for
the Network Appliance results in a gaping hole.  In this example, they
explain that "the following line exports the root directory of the default
filter volume to the administration host with root privileges."
/vol/vol0  -root=adminhost
This is all fine and good, but it also exports to the WORLD with root
privileges.  You have to specify either "-access", or "-rw", or "-ro" in
addition to "-root" for this not to happen.  When I mentioned this to my
NetApp SE, I was met with quizzical looks, but no code-update or patch.
Thusly, I sent it to bugtraq.
------- End -------