| Message ID | ccb8fb74-7b8d-418b-bbbc-9848aeb8a6c8@hyub.org (mailing list archive) |
|---|---|
| Headers | show |
| Series | nfsd symlink vulnerability patch | expand |
Although obvious I believe, I forgot to mention that an alternate export root must be configured for this to be an issue. Christopher Bii wrote: > It is hinted in the configuration files that an attacker could gain > access to arbitrary folders by guessing symlink paths that match > exported dirs, but this is not the case. They can get access to the root > export with certainty by simply symlinking to "../../../../../../../", > which will nearly* always return "/". > > This is due to realpath() being called in the main thread which isn't > chrooted, concatenating the result with the export root to create the > export entry's final absolute path which the kernel then exports. > > Also, a linker issue arose so I have added another small hack just to > get it compiled correctly. > > > Christopher Bii (2): > Exportfs changes - When a export rootdir is present, nfsd_realpath() > wrapper is used to avoid symlink exploits. - Removed > canonicalization of rootdir paths. Export rootdir must now be an > absolute path. - Implemented nfsd_path.h > Temporary fix for build issue for mount util. > > support/export/export.c | 24 +-- > support/include/nfsd_path.h | 9 +- > support/misc/nfsd_path.c | 362 ++++++++++++------------------------ > support/nfs/exports.c | 59 +++--- > utils/exportfs/exportfs.c | 8 +- > 5 files changed, 170 insertions(+), 292 deletions(-) >
It is hinted in the configuration files that an attacker could gain access to arbitrary folders by guessing symlink paths that match exported dirs, but this is not the case. They can get access to the root export with certainty by simply symlinking to "../../../../../../../", which will nearly* always return "/". This is due to realpath() being called in the main thread which isn't chrooted, concatenating the result with the export root to create the export entry's final absolute path which the kernel then exports. Also, a linker issue arose so I have added another small hack just to get it compiled correctly. Christopher Bii (2): Exportfs changes - When a export rootdir is present, nfsd_realpath() wrapper is used to avoid symlink exploits. - Removed canonicalization of rootdir paths. Export rootdir must now be an absolute path. - Implemented nfsd_path.h Temporary fix for build issue for mount util. support/export/export.c | 24 +-- support/include/nfsd_path.h | 9 +- support/misc/nfsd_path.c | 362 ++++++++++++------------------------ support/nfs/exports.c | 59 +++--- utils/exportfs/exportfs.c | 8 +- 5 files changed, 170 insertions(+), 292 deletions(-)