From simonm@solander.dcs.gla.ac.uk  Fri Dec  8 04:26:11 1995
Received: from who.cdrom.com (who.cdrom.com [192.216.222.3])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id EAA00803
          for <FreeBSD-gnats-submit@freebsd.org>; Fri, 8 Dec 1995 04:26:02 -0800 (PST)
Received: from solander.dcs.gla.ac.uk (solander.dcs.gla.ac.uk [130.209.240.201])
          by who.cdrom.com (8.6.12/8.6.11) with ESMTP id EAA17727
          for <FreeBSD-gnats-submit@freebsd.org>; Fri, 8 Dec 1995 04:25:51 -0800
Received: (from root@localhost) by solander.dcs.gla.ac.uk (8.6.12/8.6.12) id MAA01316; Fri, 8 Dec 1995 12:23:50 GMT
Message-Id: <199512081223.MAA01316@solander.dcs.gla.ac.uk>
Date: Fri, 8 Dec 1995 12:23:50 GMT
From: simonm@dcs.gla.ac.uk
Reply-To: simonm@dcs.gla.ac.uk
To: FreeBSD-gnats-submit@freebsd.org
Subject: NFS security bug
X-Send-Pr-Version: 3.2

>Number:         876
>Category:       kern
>Synopsis:       NFS allows bogus accesses to cached data
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    dfr
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Dec  8 04:30:01 PST 1995
>Closed-Date:    Fri May 9 06:19:51 PDT 1997
>Last-Modified:  Fri May  9 06:20:13 PDT 1997
>Originator:     Simon Marlow
>Release:        FreeBSD 2.1.0-RELEASE i386
>Organization:
University of Glasgow
>Environment:
(see below)
>Description:

root can access non-world-readable files on an NFS mounted partition
that have been recently read ligitimately.

>How-To-Repeat:

As a normal user (say 'fred'), who has a home directory on an NFS
mounted partition.  The partition is exported with no special root
access flags, so root should have access only to files which are world
readable.

% cat >a
hello
^D
% chmod 600 a

As root:

# more ~fred/a
a: permission denied

As fred:

% cat a
hello
%

As root:

# cat ~fred/a
hello


>Fix:

dunno :-)
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed  
State-Changed-By: scrappy 
State-Changed-When: Thu Apr 11 11:36:49 PDT 1996 
State-Changed-Why:  
tested "how to repeat" on local -current machine and cat/more 
give "No Permission" errors, as expected 
State-Changed-From-To: closed->open 
State-Changed-By: mpp 
State-Changed-When: Thu Apr 11 14:46:25 PDT 1996 
State-Changed-Why:  
I think that this problem still exists, since I don't see 
any recent NFS changes that look like they would have fixed the problem 
since I last repeated it, so I'm going to keep this open until I  
have a chance to verify it for myself.  I also assigned the PR to myself. 


Responsible-Changed-From-To: freebsd-bugs->mpp 
Responsible-Changed-By: mpp 
Responsible-Changed-When: Thu Apr 11 14:46:25 PDT 1996 
Responsible-Changed-Why:  
Responsible-Changed-From-To: mpp->freebsd-bugs 
Responsible-Changed-By: mpp 
Responsible-Changed-When: Sat Feb 1 16:00:08 PST 1997 
Responsible-Changed-Why:  
I'm not going to get to this anytime soon, so it is up 
for grabs. 
Responsible-Changed-From-To: freebsd-bugs->dfr 
Responsible-Changed-By: dfr 
Responsible-Changed-When: Tue May 6 03:11:43 PDT 1997 
Responsible-Changed-Why:  
Time to fix this one. 
State-Changed-From-To: open->closed 
State-Changed-By: dfr 
State-Changed-When: Fri May 9 06:19:51 PDT 1997 
State-Changed-Why:  
Fixed in rev 1.48 of nfs_vnops.c. 
>Unformatted:
Simon Marlow
