Unprivileged NFS access

Summary

NFS server executes requests from unprivileged user programs.

Impact

A malicious user can execute NFS file access requests on behalf of any user.

Background

When an NFS client host wants to access a remote file or directory, its operating system sends a request to the NFS server. The request specifies, among others, a file identifier, the operation (read, write, change permission, etc.), and the identity of the user on whose behalf the operation is to be done.

By default, the user identity is specified with the UNIX numeric user and group ids. With this scheme, also called AUTH_UNIX, the server simply believes anything that the client sends it.

The problem

An NFS request is nothing but a network message. Any user can run a program that generates arbitrary NFS requests. Such programs have been available for several years, and writing them does not require unusual programming skills.

When an NFS server accepts requests with AUTH_UNIX authentication from unprivileged user programs, a malicious user can execute file access requests on behalf of any user. Reason: with AUTH_UNIX authentication, the user identity is nothing but a few user and group ID numbers in a network message.

Fix

The fix is to avoid AUTH_UNIX authentication and to use something that involves cryptography. For example, secure NFS with DES or Kerberos credentials. Unfortunately, many NFS implementations support AUTH_UNIX authentication only. Consult your system documentation.

A partial, but more common, solution is to configure the NFS server, and where possible, the mount daemon, to accept requests only from privileged system programs (such as UNIX kernels), and to reject NFS requests that are sent by unprivileged user programs.

SunOS 4 administrators modify /etc/rc.local
- rpc.mountd (no -n option)
- echo "nfs_portmon/W1" | adb -w /vmunix /dev/kmem
SunOS 5 administrators modify /etc/system
- set nfs:nfs_portmon = 1 (prior to Solaris 5.5)
- set nfssrv:nfs_portmon = 1 (as of Solaris 5.5)

On other systems, the mountd command-line options differ, and the kernel variable may be called nfsportmon or something similar.

Note: rejecting NFS requests from unprivileged user programs does not protect your servers against malicious superusers or against malicious PC programs.

Other tips

Where practical, export file systems read-only.
Consider blocking ports 2049 (nfs) and 111 (portmap) on your routers.