Re: nfs_mount in AIX

Tom Fitzgerald (fitz@wang.com)
Tue, 25 Apr 95 21:15:58 EDT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Matthew Bontoft: "Re: Obtaining NIS domainname from Gatorbox"
Previous message: rick@msc.cornell.edu: "nfs_mount in AIX"
In reply to: rick@msc.cornell.edu: "nfs_mount in AIX"
Next in thread: rick@msc.cornell.edu: "Re: nfs_mount in AIX"

> It appears that the completely undocumented routine 'nfs_mount' can be
> used by a non-root user to mount a daemon on a directory ala NFS.  It
> seems to me that this is a very nasty security hole.
> 
> I can't offer more details since, as I said, the routine is completely
> undocumented, and the only working example I have is in a piece of
> third-party software to which I do not have source.
> 
> I would appreciate it if someone could shed some light on this.

Here's a little additional information.....  the nfs_mount routine does its
work through the vmount() system call, which is documented.  If this is a
security hole at all, then it's because it would let an attacker mount a
remote filesystem under his control onto a world-readable directory like
/tmp or /var/preserve, and thereby grab a copy of everything that was
written to that directory.  Anybody want to write a test program?

nfs_mount is in librpcsvc.a, but offers nothing beyond what vmount() gives
(since it's just a subroutine anyway) aside from a simpler interface.

-- 
Tom Fitzgerald    1-508-967-5278    Wang Labs, Lowell MA, USA    fitz@wang.com

Next message: Matthew Bontoft: "Re: Obtaining NIS domainname from Gatorbox"
Previous message: rick@msc.cornell.edu: "nfs_mount in AIX"
In reply to: rick@msc.cornell.edu: "nfs_mount in AIX"
Next in thread: rick@msc.cornell.edu: "Re: nfs_mount in AIX"