On nfs shares serving kerberos protected accounts, freebsd will assign to files of normal users the ownership root:user. About as major a security hole as you can expect. Fix: grep -r 'getpw*_r' /usr/src. Start hunting. I found some previously mentioned in bug reports. Here's another 2. Basically the problem is 128 byte buffer too small to hold what getpwnam_r returns, plus inadequate error processing (i.e. no log, no user notification...) patch -p How-To-Repeat: nfs share a directory requiring the use of kerberos. Make sure the principal name maps to a user with a long name and plenty of gecos and other info in the structures relevant to getpw*_r. Mount the directory on a client. Log into the client as a normal user. Create a file on mount. Note the ownership of the file is root:user.
Find attached a tbz that has all the necessary patches I've filed to date against freebsd 8 stable that accomplish the following: 1. Alter no current behavior but make more optional (whether I like it or not*). 2. Let NFS do with -sec=krb5x everything it was capable of doing without -sec=krb5. 3. make it possible as it was pre kerberos for a server to restrict shares to certain boxes while not letting locally authorized users access to those shares via other clients, nfs3 or nfs4. 4. Make it possible for accounts associated with principal names including a / to have correct file ownership when using mounted shares (all gssapi service accounts related cyrus-sasl accounts, openldap / slapd, nslcd, nfs itself, and in my world all accounts with uid <1000). 5. Fix bugs giving normal users files over nfs with ownership root:user (includes many global rpc fixes relative to longer passwd entries) 6. Make it possible for accounts with /nonexistent home directories to have .k5login capabilities (/etc/k5login.d) 7. Caching to vastly speed up validating local accounts against principals and vice versa (nfs speedup). Fair notice, the folk on the hiemdal discussion list generally think some of these features need doing, but do not approve of the choices I made about how to do it. Others take great exception to mapping principal names with a / to user accounts per box. Still others think the entire matter of 'taint' is mishandled and needs removing from kerberos entirely. A fair few other observations occurred as well. Some mention they aim to provide similar functions in code to be written in due course. So, while they are working on those, in the meantime, enjoy a fully functional krb5/nfs and protected ldap keytab! Full BSD licenses on all added code. Cheers! Harry Coin
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped
Keyword: patch or patch-ready – in lieu of summary line prefix: [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk). Keyword descriptions and search interface: <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>