From: le wang Subject: Re: Kerberos+NFSv4: Security - Multiple sessions with same user. One ticket for all? Date: Wed, 26 Aug 2009 17:09:18 -0400 Message-ID: References: <4A9521AE.3010900@s3group.cz> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2097023403==" Cc: NFS list , Linux NFSv4 mailing list To: Ondrej Valousek Return-path: In-Reply-To: <4A9521AE.3010900@s3group.cz> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: nfsv4-bounces@linux-nfs.org Errors-To: nfsv4-bounces@linux-nfs.org List-ID: --===============2097023403== Content-Type: multipart/alternative; boundary=001636b2b4774033cb047211dd2b --001636b2b4774033cb047211dd2b Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable This is the security issue of NFS which exists extensively in NIS directory environment since regular NFS authentication depends on UID and GID. $ ypcat password |grep $FOO to get the user FOO's UID and GID; Local root of ANY machine in this Directory could create a faked user with FOO's UID and GID through cmd "groupadd" and "useradd", and then access FOO's files on any machine. If Kerberos 5 is applied, this kind of security issue could be solved partially and limited on the scenario which Ondrej described below. -Le On Wed, Aug 26, 2009 at 7:51 AM, Ondrej Valousek wrote= : > This issue has already been discussed on this list. > Local root has access to all credentials stored on that machine and there > is nothing you can do with this. You can only tell the user not to log to= a > machine which is already compromised by malicious attacker having root > access. > Ondrej > > Carlos Andr=E9 wrote: > >> I got a strange security issue. I logon via SSH or local console with >> my user and get a ticket, then if local root su to my user, local root >> can access my files. >> >> I'm using CentOS 5.3: >> kernel-2.6.18-128.2.1.el5 >> krb5-workstation-1.6.1-31.el5_3.3 >> >> >> SESSION 1: >> ----------------------------------------------------------------- >> $ ssh root@1.2.3.4 >> root@1.2.3.4's password: >> Last login: Wed Aug 26 08:06:49 2009 from X >> [root@KSTATION ~]# su carlos.andre >> [carlos.andre@KSTATION root]$ klist >> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_10000) >> >> >> Kerberos 4 ticket cache: /tmp/tkt10000 >> klist: You have no tickets cached >> [carlos.andre@KSTATION root]$ cd /misc/home/carlos.andre >> bash: cd: /misc/home/carlos.andre: Permission denied >> [carlos.andre@KSTATION root]$ >> ----------------------------------------------------------------- >> [--OK--] >> >> >> SESSION 2: >> ----------------------------------------------------------------- >> $ ssh carlos.andre@1.2.3.4 >> carlos.andre@1.2.3.4's password: >> Last login: Wed Aug 26 08:01:33 2009 from X >> [carlos.andre@KSTATION ~]$ klist >> Ticket cache: FILE:/tmp/krb5cc_10000_PPLMqF >> Default principal: carlos.andre@X.BR >> >> Valid starting Expires Service principal >> 08/26/09 08:30:12 08/26/09 18:30:12 krbtgt/X.BR@X.BR >> renew until 08/26/09 08:30:12 >> >> >> Kerberos 4 ticket cache: /tmp/tkt10000 >> klist: You have no tickets cached >> [carlos.andre@KSTATION ~]$ cd /misc/home/carlos.andre >> [carlos.andre@KSTATION carlos.andre]$ ls -la >> total 8 >> drwxrwx--- 2 carlos.andre users 4096 Aug 21 09:04 . >> drwxr-xr-x 3 root root 0 Aug 26 08:30 .. >> [carlos.andre@KSTATION carlos.andre]$ >> ----------------------------------------------------------------- >> [--OK--] >> >> >> NOW BACK TO SESSION 1: >> ----------------------------------------------------------------- >> [carlos.andre@KSTATION root]$ cd /misc/home/carlos.andre >> [carlos.andre@KSTATION carlos.andre]$ ls -la >> total 8 >> drwxrwx--- 2 carlos.andre users 4096 Aug 21 09:04 . >> drwxr-xr-x 3 root root 0 Aug 26 08:30 .. >> [carlos.andre@KSTATION carlos.andre]$ klist >> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_10000) >> >> >> Kerberos 4 ticket cache: /tmp/tkt10000 >> klist: You have no tickets cached >> [carlos.andre@KSTATION carlos.andre]$ >> ----------------------------------------------------------------- >> [WTF!?!?] >> >> Then, if I log on someone machine, local root user (and 'su' to my >> user) will have access to my files like NFS without Kerberos?? This >> behavior is "correct" or it's a bug? >> And more strange it's credentials, root 'su'ed to my user doesnt got >> credentials, but still have access to my files... >> >> Or I'm doing something wrong? -_-' >> >> Thanks. >> _______________________________________________ >> NFSv4 mailing list >> NFSv4@linux-nfs.org >> http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4 >> >> > > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > --=20 Le Wang ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The good man is the friend of all living things. Gandhi, Mahatma(1869-1948) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --001636b2b4774033cb047211dd2b Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable This is the security issue of NFS which exists extensively in NIS directory= environment since regular NFS authentication depends on UID and GID.
$ = ypcat password |grep $FOO to get the user FOO's UID and GID;
Local r= oot of ANY machine in this Directory could create a faked user with FOO'= ;s UID and GID through cmd "groupadd" and "useradd", an= d then access FOO's files on any machine.
If Kerberos 5 is applied, this kind of security issue could be solved parti= ally and limited on the scenario which Ondrej described below.
-Le=A0 = =A0 =A0
=A0

On Wed, Aug 26, 2009 at 7= :51 AM, Ondrej Valousek <webserv@s3group.cz> wrote:
This issue has al= ready been discussed on this list.
Local root has access to all credentials stored on that machine and there i= s nothing you can do with this. You can only tell the user not to log to a = machine which is already compromised by malicious attacker having root acce= ss.
Ondrej

Carlos Andr=E9 wrote:
I got a strange security issue. I logon via SSH or local console with
my user and get a ticket, then if local root su to my user, local root
can access my files.

I'm using CentOS 5.3:
kernel-2.6.18-128.2.1.el5
krb5-workstation-1.6.1-31.el5_3.3


SESSION 1:
-----------------------------------------------------------------
$ ssh root@1.2.3.4 root@1.2.3.4's pa= ssword:
Last login: Wed Aug 26 08:06:49 2009 from X
[root@KSTATION ~]# su carlos.andre
[carlos.andre@KSTATION root]$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_10000)


Kerberos 4 ticket cache: /tmp/tkt10000
klist: You have no tickets cached
[carlos.andre@KSTATION root]$ cd /misc/home/carlos.andre
bash: cd: /misc/home/carlos.andre: Permission denied
[carlos.andre@KSTATION root]$
-----------------------------------------------------------------
[--OK--]


SESSION 2:
-----------------------------------------------------------------
$ ssh carlos.andr= e@1.2.3.4
carlos.andre@1.2.= 3.4's password:
Last login: Wed Aug 26 08:01:33 2009 from X
[carlos.andre@KSTATION ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_10000_PPLMqF
Default principal: c= arlos.andre@X.BR

Valid starting =A0 =A0 Expires =A0 =A0 =A0 =A0 =A0 =A0Service principal
08/26/09 08:30:12 =A008/26/09 18:30:12 =A0krbtgt/X.BR@X.BR=
=A0 =A0 =A0 =A0renew until 08/26/09 08:30:12


Kerberos 4 ticket cache: /tmp/tkt10000
klist: You have no tickets cached
[carlos.andre@KSTATION ~]$ cd /misc/home/carlos.andre
[carlos.andre@KSTATION carlos.andre]$ ls -la
total 8
drwxrwx--- 2 carlos.andre users 4096 Aug 21 09:04 .
drwxr-xr-x 3 root =A0 =A0 =A0 =A0 root =A0 =A0 =A0 =A0 =A0 =A0 =A0 0 Aug 26= 08:30 ..
[carlos.andre@KSTATION carlos.andre]$
-----------------------------------------------------------------
[--OK--]


NOW BACK TO SESSION 1:
-----------------------------------------------------------------
[carlos.andre@KSTATION root]$ cd /misc/home/carlos.andre
[carlos.andre@KSTATION carlos.andre]$ ls -la
total 8
drwxrwx--- 2 carlos.andre users 4096 Aug 21 09:04 .
drwxr-xr-x 3 root =A0 =A0 =A0 =A0 root =A0 =A0 =A0 =A0 =A0 =A0 =A0 0 Aug 26= 08:30 ..
[carlos.andre@KSTATION carlos.andre]$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_10000)


Kerberos 4 ticket cache: /tmp/tkt10000
klist: You have no tickets cached
[carlos.andre@KSTATION carlos.andre]$
-----------------------------------------------------------------
[WTF!?!?]

Then, if I log on someone machine, local root user (and 'su' to my<= br> user) will have access to my files like NFS without Kerberos?? This
behavior is "correct" or it's a bug?
And more strange it's credentials, root 'su'ed to my user doesn= t got
credentials, but still have access to my files...

Or I'm doing something wrong? -_-'

Thanks.
_______________________________________________
NFSv4 mailing list
NFSv4@linux-nfs.or= g
http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4
=A0

--
To unsubscribe from this list: send the line "unsubscribe linux-nfs&qu= ot; in
the body of a message to majordomo@vger.kernel.org
More majordomo info at =A0http://vger.kernel.org/majordomo-info.html



--
Le Wang
~~~~~~~~~~~~= ~~~~~~~~~~~~~~~~~~~~~~~~
The good man is the friend of all living things= .
Gandhi, Mahatma(1869-1948)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--001636b2b4774033cb047211dd2b-- --===============2097023403== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ NFSv4 mailing list NFSv4@linux-nfs.org http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4 --===============2097023403==--