Summary: | net-fs/nfs-utils: rpc.statd should be run as non-root | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Markus Lischka <mlischka> |
Component: | [OLD] Server | Assignee: | Gentoo's Team for Core System packages <base-system> |
Status: | UNCONFIRMED --- | ||
Severity: | enhancement | CC: | barzog, bugzie |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
http://bugs.debian.org/574510 https://bugzilla.redhat.com/show_bug.cgi?id=495066 |
||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | nfs-utils-statd-user-ebuild.diff |
Description
Markus Lischka
2015-03-22 22:10:59 UTC
nfs-utils has never dropped perms afaik on Gentoo Created attachment 477634 [details, diff]
nfs-utils-statd-user-ebuild.diff
This security issue still needs to fixed to run rpc.statd unprivileged. Attached is diff to nfs-utils ebuild to resolve. Permissions for sm and sm.bak are also set to 700 as recommended by Linux NFS FAQ.
Beyond the diff there are a couple of possible further options;
- Could use the configure option "--with-statduser". However it's only used by the chown in Makefile.am install doing the same as ebuild chown but it doesn't chown /var/lib/nfs which is the default statdpath that rpc.statd uses to set its euid, so not worth it.
- Optionally, like Redhat you could change statdpath to /var/lib/nfs/statd with configure option "--withstatdpath" to avoid chowning /var/lib/nfs itself. Not worth changing now though.
The ebuild should also inherit user for enewuser and enwegroup but was missing in the diff. Same problem here. Alan Swanson's fix works for me. |