Comment 52 for bug 13795

Brendan O'Dea <email address hidden> wrote:

> Your argument is that exporting a writable / or /usr via NFS exposes
> you to possible exploits? Then DON'T DO THAT.

and Manoj Srivastava <email address hidden> wrote:

> ... majority do not NFS export /usr/local ...

Sorry, but that is not the issue. The attacked machine would not be an
exporter, but a mounter of user files.

Suppose I have a bunch of machines, that "share" user files: all
NFS-mount /users (containing user home directories /users/*). Getting
root on any one of this bunch of machines would allow me to create a
setgid-staff file; or maybe I could mess around with the .bashrc of a
user in group staff.

Arguments about exports with squash_gids are moot: many NFS exporters do
not have that option; and non-Debian exporters would not know or care
about group staff.

Other points raised:

> That "src" group is *obviously* a security risk, it makes any user in
> that group root-equiv since they can dick with /usr/src/linux...

No risk: /usr/src is not used on a regular basis. Root should verify his
sources before building and installing a new kernel.

> The various role groups are useful [to] provide limited access to
> certain files/subtrees.

Yes, e.g. group mail is useful (only because we do not trust sendmail?).
Group disk is not useful: there is no-one in that group, nor are there
setgid-disk binaries. I wonder about group tty.

> ... a finer distinction of privileges ... we should encourage.

Yes, definitely; but we need to do so securely.

Cheers,

Paul Szabo <email address hidden> http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia