From owner-freebsd-hackers Tue Oct 24 20:43:33 1995 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id UAA24498 for hackers-outgoing; Tue, 24 Oct 1995 20:43:33 -0700 Received: from Root.COM (implode.Root.COM [198.145.90.17]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id UAA24493 ; Tue, 24 Oct 1995 20:43:30 -0700 Received: from corbin.Root.COM (corbin [198.145.90.50]) by Root.COM (8.6.12/8.6.5) with ESMTP id UAA07118; Tue, 24 Oct 1995 20:43:29 -0700 Received: from localhost (localhost [127.0.0.1]) by corbin.Root.COM (8.6.12/8.6.5) with SMTP id UAA27854; Tue, 24 Oct 1995 20:38:46 -0700 Message-Id: <199510250338.UAA27854@corbin.Root.COM> To: mikebo@tellabs.com cc: hackers@freebsd.org, bugs@freebsd.org Subject: Re: 2.1.0-951020-SNAP: Major bug in NFS again! In-reply-to: Your message of "Tue, 24 Oct 95 21:45:17 CDT." <9510250245.AA11614@tellabk.tellabs.com> From: David Greenman Reply-To: davidg@Root.COM Date: Tue, 24 Oct 1995 20:38:46 -0700 Sender: owner-hackers@freebsd.org Precedence: bulk >This isn't something that can be changed on a Sun. Even configuring a >Sun with static routes won't really solve the problem, as someone/sometime >is bound to request a mount from an interface which is not the server's >default route. In that case, the reply would come from the interface >tagged with the default route. The onus is on the client to deal with it... The client should ignore NFS packets from hosts that it's not talking to or doesn't know about, and that's what all 4.4BSD derived OSs do. >This situation is correctly handled by every commercial UNIX OS I've >worked with. I don't know what security implications that has, but I >do know that FreeBSD's NFS (and so the whole OS) is useless to me >(and others running in a similar environment) unless it works with >Suns and plays by their rules. If I can't use the OS, the security >doesn't do me a damn bit of good! > >I can document this behavior in SunOS, Solaris and HP/UX if it will >help strengthen the argument. This is the real world behavior, and I'm >inclined to believe that FreeBSD is not in a position to dictate what's >"proper behaviour" to Sun (the progenitors of RPC and NFS) and the rest >of the commerical UNIX market. This is obviously flamebait and I'm not going to respond to it. >Sorry for the rambling discourse, but I need this fixed or I can't >use FreeBSD. At the least, can the "Sun behavior" I need be added >as an option to the mount command? If you choose not to use my suggested work-around, then I guess you can't use FreeBSD. For the NFS server, FreeBSD (and all other 4.4BSD derived systems) keep an authentication list in the kernel that is constructed from /etc/exports. For the NFS client, FreeBSD requires that replies to its RPC requests come from the same address that they were issued to. If it didn't work this way, then *anyone* could send bogus udp datagrams with hand-tailored RPC calls/replies to you and as long as that someone can come up with a file handle (which is relatively easy), he can do unchecked file operations and bypass the system security. Other commercial vendors are running old security- broken versions of NFS and this makes them wide open for security attacks. The best I could offer you would be a kernel option to disable this security, but I'll say right now that this *won't* be in the 2.1 release. -DG