Bug 162009

Summary: [patch] [kerberos] getpwnam_r buf too small nfs assigns root:user to krb5 clients
Product: Base System Reporter: hcoin
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Open ---    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff
none
file.diff
none
file.diff
none
nfskrb5bsdpatches.tbz none

Description hcoin 2011-10-25 18:10:09 UTC
On nfs shares serving kerberos protected accounts, freebsd will assign to files of normal users the ownership root:user.  About as major a security hole as you can expect.

Fix: grep -r 'getpw*_r' /usr/src.  Start hunting.  I found some previously mentioned in bug reports.  Here's another 2.  Basically the problem is 128 byte buffer too small to hold what getpwnam_r returns, plus inadequate error processing (i.e. no log, no user notification...)

patch -p 
How-To-Repeat: nfs share a directory requiring the use of kerberos.  Make sure the principal name maps to a user with a long name and plenty of gecos and other info in the structures relevant to getpw*_r.  Mount the directory on a client.  Log into the client as a normal user.   Create a file on mount.   Note the ownership of the file is root:user.
Comment 1 Harry Coin 2011-10-26 02:07:56 UTC
Find attached a tbz that has all the necessary patches I've filed to 
date against freebsd 8 stable that accomplish the following:

1.  Alter no current behavior but make more optional (whether I like it 
or not*).  2.  Let NFS do with -sec=krb5x everything it was capable of 
doing without -sec=krb5.  3. make it possible as it was pre kerberos for 
a server to restrict shares to certain boxes while not letting locally 
authorized users access to those shares via other clients, nfs3 or 
nfs4.  4.  Make it possible for accounts associated with principal names 
including a / to have correct file ownership when using mounted shares 
(all gssapi service accounts related cyrus-sasl accounts, openldap / 
slapd, nslcd, nfs itself, and in my world all accounts with uid <1000).  
5. Fix bugs giving normal users files over nfs with ownership root:user 
(includes many global rpc fixes relative to longer passwd entries)  6. 
Make it possible for accounts with /nonexistent home directories to have 
.k5login capabilities (/etc/k5login.d)  7.  Caching to vastly speed up 
validating local accounts against principals and vice versa (nfs speedup).

Fair notice, the folk on the hiemdal discussion list generally think 
some of these features need doing, but do not approve of the choices I 
made about how to do it.  Others take great exception to mapping 
principal names with a / to user accounts per box.  Still others think 
the entire matter of 'taint' is mishandled and needs removing from 
kerberos entirely.   A fair few other observations occurred as well. 
Some mention they aim to provide similar functions in code to be written 
in due course.  So, while they are working on those, in the meantime, 
enjoy a fully functional krb5/nfs and protected ldap  keytab!

Full BSD licenses on all added code.  Cheers!

Harry Coin

Comment 2 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:58:59 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped