From nobody@FreeBSD.org  Mon Oct 21 06:03:33 2002
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B3DDC37B401
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 21 Oct 2002 06:03:33 -0700 (PDT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 35FC543E75
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 21 Oct 2002 06:03:33 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.6/8.12.6) with ESMTP id g9LD3W7R048754
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 21 Oct 2002 06:03:32 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.6/8.12.6/Submit) id g9LD3Wrg048753;
	Mon, 21 Oct 2002 06:03:32 -0700 (PDT)
Message-Id: <200210211303.g9LD3Wrg048753@www.freebsd.org>
Date: Mon, 21 Oct 2002 06:03:32 -0700 (PDT)
From: Michael van Elst <mlelstv@dev.de.cw.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: NFSv3 client broken - security problem with attribute caching
X-Send-Pr-Version: www-1.0

>Number:         44336
>Category:       kern
>Synopsis:       [nfs] NFSv3 client broken - security problem with attribute caching
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Oct 21 06:10:10 PDT 2002
>Closed-Date:    Wed Feb 28 08:00:23 GMT 2007
>Last-Modified:  Wed Feb 28 08:00:23 GMT 2007
>Originator:     Michael van Elst
>Release:        FreeBSD 4.7-STABLE / FreeBSD 5.0-CURRENT
>Organization:
Cable&Wireless
>Environment:
FreeBSD dt1.dev.de.cw.net 4.7-STABLE FreeBSD 4.7-STABLE #0: Thu Oct 10 18:20:04 CEST 2002     root@dt1.dev.de.cw.net:/usr/src/sys/compile/DT1  i386

FreeBSD dv2.dev.de.cw.net 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Tue Sep 17 17:25:48 CEST 2002   root@dv2.dev.de.cw.net:/usr/src/sys/i386/compile/DV2  i386

>Description:
Effect of chmod(1) is deferred on NFSv3 mounts.
>How-To-Repeat:
Mount a directory on a NFSv3 server (tested against a NetApp filer and
a FreeBSD-4.6-STABLE server) and change to that directory.

% touch foo
% chmod 644 foo ; echo >> foo
% chmod 0 foo ; echo >> foo
% chmod 0 foo ; echo >> foo
foo: Permission denied.
% chmod 644 foo ; echo >> foo
% chmod 0 foo ; sleep 2 ; echo >> foo
foo: Permission denied

Apparently it takes up to two seconds before the chmod becomes effective.

Most probable reason: the NFS client uses cached attributes that are not invalidated by chmod(1).

Repeating the same with a NFSv2 mount does not exhibit the problem.
Repeating the same on NetBSD1.6 and Solaris9 does not exhibit the problem.


>Fix:
      
>Release-Note:
>Audit-Trail:

From: "Peter Edwards" <pmedwards@eircom.net>
To: freebsd-gnats-submit@FreeBSD.org, mlelstv@dev.de.cw.net
Cc:  
Subject: Re: kern/44336: NFSv3 client broken - security problem with attribute caching
Date: Thu, 21 Nov 2002 20:38:51 +0000

 Interesting. My reading of the code produces the following understanding:
 
 Basically, there's a separate "access" cache, and an "attributes" cache. A
 "setattr" command doesn't clear the "access" cache. (Actually, I don't know
 how it flushes the "attribute" cache either, but I haven't studied the code
 enough to say that it doesn't.)
 
 I think the intention here is to keep the notion of accessibilty removed
 from the notions of attributes and ownership: eg, when user IDs are remapped
 by the server, the client can't assume it can access a file based on process
 user Id. It's also more useful for servers that don't have a UFS-style
 filesystem underlying the server. A quick scan of RFC1813 seems to confirm
 this.
 
 My naiive fix (reproduced below) stops this problem happening on my box:
 It's reasonable to expect that modifying the mode on a file will affect
 its accessibility (although I suppose its not neccessarily definite). The
 patch merely invalidates the access cache in the node, forcing the server
 to refetch if it needs it.
 
 E&OE. Don't take these as words of wisdom: I'm not an NFS hacker by any
 stretch of the imagination: I was just curious enough to look at the source
 and partially understand what was going on.
 
 BTW: I don't know if this is a major security concern, generally. If you had
 the file open and someone changes the mode, it doesn't prevent you from
 accessing it via the open handle (which I assume is similar to how the NFS
 server is getting away with it). And the updates will always be reasonably
 timely. It certainly breaks POLA in this case though.
 
 Index: nfs_vnops.c
 ===================================================================
 RCS file: /pub/FreeBSD/development/FreeBSD-CVS/src/sys/nfs/Attic/nfs_vnops.c,v
 retrieving revision 1.150.2.5
 diff -u -r1.150.2.5 nfs_vnops.c
 --- nfs_vnops.c 20 Dec 2001 19:56:28 -0000      1.150.2.5
 +++ nfs_vnops.c 21 Nov 2002 20:36:57 -0000
 @@ -743,6 +743,13 @@
                 (error = nfs_vinvalbuf(vp, V_SAVE, ap->a_cred,
                  ap->a_p, 1)) == EINTR)
                 return (error);
 +
 +       /*
 +        * It's likely that changing the file's mode will affect it's
 +        * accessibilty: invalidate access cache
 +        */
 +       if (vap->va_mode != (mode_t)VNOVAL)
 +           np->n_modestamp = 0;
         error = nfs_setattrrpc(vp, vap, ap->a_cred, ap->a_p);
         if (error && vap->va_size != VNOVAL) {
                 np->n_size = np->n_vattr.va_size = tsize;
 
 
State-Changed-From-To: open->patched 
State-Changed-By: peadar 
State-Changed-When: Sat Apr 3 08:33:26 PST 2004 
State-Changed-Why:  
Patch committed to -current 

http://www.freebsd.org/cgi/query-pr.cgi?pr=44336 
State-Changed-From-To: patched->closed 
State-Changed-By: remko 
State-Changed-When: Wed Feb 28 08:00:19 UTC 2007 
State-Changed-Why:  
The change had been in current for almost three years now. I think this 
is "MFC'ed" to the proper releases. Close the ticket. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=44336 
>Unformatted:
Committed a more complete version of this patch from Ian Dowse to
-current.
