From owner-freebsd-bugs  Fri Dec  8 04:30:09 1995
Return-Path: owner-bugs
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id EAA00963
          for bugs-outgoing; Fri, 8 Dec 1995 04:30:09 -0800 (PST)
Received: (from gnats@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id EAA00936
          Fri, 8 Dec 1995 04:30:03 -0800 (PST)
Resent-Date: Fri, 8 Dec 1995 04:30:03 -0800 (PST)
Resent-Message-Id: <199512081230.EAA00936@freefall.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, simonm@dcs.gla.ac.uk
Received: from who.cdrom.com (who.cdrom.com [192.216.222.3])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id EAA00803
          for <FreeBSD-gnats-submit@freebsd.org>; Fri, 8 Dec 1995 04:26:02 -0800 (PST)
Received: from solander.dcs.gla.ac.uk (solander.dcs.gla.ac.uk [130.209.240.201])
          by who.cdrom.com (8.6.12/8.6.11) with ESMTP id EAA17727
          for <FreeBSD-gnats-submit@freebsd.org>; Fri, 8 Dec 1995 04:25:51 -0800
Received: (from root@localhost) by solander.dcs.gla.ac.uk (8.6.12/8.6.12) id MAA01316; Fri, 8 Dec 1995 12:23:50 GMT
Message-Id: <199512081223.MAA01316@solander.dcs.gla.ac.uk>
Date: Fri, 8 Dec 1995 12:23:50 GMT
From: simonm@dcs.gla.ac.uk
Reply-To: simonm@dcs.gla.ac.uk
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: kern/876: NFS security bug
Sender: owner-bugs@freebsd.org
Precedence: bulk


>Number:         876
>Category:       kern
>Synopsis:       NFS allows bogus accesses to cached data
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Dec  8 04:30:01 PST 1995
>Last-Modified:
>Originator:     Simon Marlow
>Organization:
University of Glasgow
>Release:        FreeBSD 2.1.0-RELEASE i386
>Environment:
(see below)
>Description:

root can access non-world-readable files on an NFS mounted partition
that have been recently read ligitimately.

>How-To-Repeat:

As a normal user (say 'fred'), who has a home directory on an NFS
mounted partition.  The partition is exported with no special root
access flags, so root should have access only to files which are world
readable.

% cat >a
hello
^D
% chmod 600 a

As root:

# more ~fred/a
a: permission denied

As fred:

% cat a
hello
%

As root:

# cat ~fred/a
hello


>Fix:

dunno :-)
>Audit-Trail:
>Unformatted:
Simon Marlow