8-stable nfs+lerberos security hole
Harry Coin
harrycoin at aol.com
Thu Oct 27 02:16:51 UTC 2011
Kindly note Re: "[kernel security routines using] getpwnam_r buf too
small-- nfs assigns root:user to krb5 clients"
PR http://www.freebsd.org/cgi/query-pr.cgi?pr=162009
With patches.
There was another related PR. In short, the getpw*_r routines call for
a user buffer in which to put all the strings associated with a passwd
structure. Many routines allow only 128 bytes for this. Others in the
kernel use 1024 or 2048. Not alot of guidance there to work with, eh?
Long gecos info, long principal names, etc causes these routines to
fail.. but the error doesn't seem to prevent non privileged nfs clients
using kerberos security from creating files. And, those files are owned
root:user. Sometimes user:root. Either way, not so good.
Thanks
Harry Coin
More information about the freebsd-security
mailing list