On nfs shares serving kerberos protected accounts, freebsd will assign to files of normal users the ownership root:user. About as major a security hole as you can expect.
Fix: grep -r 'getpw*_r' /usr/src. Start hunting. I found some previously mentioned in bug reports. Here's another 2. Basically the problem is 128 byte buffer too small to hold what getpwnam_r returns, plus inadequate error processing (i.e. no log, no user notification...)
How-To-Repeat: nfs share a directory requiring the use of kerberos. Make sure the principal name maps to a user with a long name and plenty of gecos and other info in the structures relevant to getpw*_r. Mount the directory on a client. Log into the client as a normal user. Create a file on mount. Note the ownership of the file is root:user.
Find attached a tbz that has all the necessary patches I've filed to
date against freebsd 8 stable that accomplish the following:
1. Alter no current behavior but make more optional (whether I like it
or not*). 2. Let NFS do with -sec=krb5x everything it was capable of
doing without -sec=krb5. 3. make it possible as it was pre kerberos for
a server to restrict shares to certain boxes while not letting locally
authorized users access to those shares via other clients, nfs3 or
nfs4. 4. Make it possible for accounts associated with principal names
including a / to have correct file ownership when using mounted shares
(all gssapi service accounts related cyrus-sasl accounts, openldap /
slapd, nslcd, nfs itself, and in my world all accounts with uid <1000).
5. Fix bugs giving normal users files over nfs with ownership root:user
(includes many global rpc fixes relative to longer passwd entries) 6.
Make it possible for accounts with /nonexistent home directories to have
.k5login capabilities (/etc/k5login.d) 7. Caching to vastly speed up
validating local accounts against principals and vice versa (nfs speedup).
Fair notice, the folk on the hiemdal discussion list generally think
some of these features need doing, but do not approve of the choices I
made about how to do it. Others take great exception to mapping
principal names with a / to user accounts per box. Still others think
the entire matter of 'taint' is mishandled and needs removing from
kerberos entirely. A fair few other observations occurred as well.
Some mention they aim to provide similar functions in code to be written
in due course. So, while they are working on those, in the meantime,
enjoy a fully functional krb5/nfs and protected ldap keytab!
Full BSD licenses on all added code. Cheers!
For bugs matching the following criteria:
Status: In Progress Changed: (is less than) 2014-06-01
Reset to default assignee and clear in-progress tags.
Mail being skipped