NFSv4 mount point does not allow binary files to run when permissions are set only to execute
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | Linux |
Fix Released
|
Medium
|
||
| | linux (Ubuntu) |
Medium
|
Chris J Arges | ||
| | Lucid |
Undecided
|
Chris J Arges | ||
| | Maverick |
Undecided
|
Unassigned | ||
| | Natty |
Undecided
|
Chris J Arges | ||
| | Oneiric |
Undecided
|
Unassigned | ||
| | Precise |
Medium
|
Chris J Arges | ||
Bug Description
Affected releases:
- Lucid, Natty when running NFSv4
One cannot run binary files when permissions are set to ---x--x--x on systems running NFSv4.
Expected behaviour:
- Allow binaries to run by just having --x (execute) permissions. This works when the mount point is created using NFSv3. According to the literature if it is a binary it makes an exec() call to the kernel therefore you don't need to have (read) permissions on the file.
PS: Scripts run as expected when they have the following r-x permissions. Since scripts have to pass by an interpreter ( perl, bash ) they do need to have (read and exec) permissions.
Steps to reproduce
1. Install nfs
2. configure /etc/export
/data/nfs *(rw,fsid=
3. Mount using nfsv4
sudo mount -t nfs4 -o proto=tcp,port=2049 localhost:/ /mnt
4. cd /mnt
ls -la a.out script.sh
---x--x--x 1 ubuntu ubuntu 8461 2011-08-24 17:59 a.out
---x--x--x 1 ubuntu ubuntu 27 2011-08-24 17:58 script.sh
5. running binary and script
ubuntu@
-bash: ./a.out: Permission denied
ubuntu@
-bash: ./script.sh: Permission denied
ubuntu@
/dev/sda1 on / type ext3 (rw)
proc on /proc type proc (rw,noexec,
none on /sys type sysfs (rw,noexec,
none on /sys/kernel/debug type debugfs (rw)
none on /sys/kernel/
none on /dev type devtmpfs (rw,mode=0755)
none on /dev/pts type devpts (rw,noexec,
none on /dev/shm type tmpfs (rw,nosuid,nodev)
none on /var/run type tmpfs (rw,nosuid,
none on /var/lock type tmpfs (rw,noexec,
none on /lib/init/rw type tmpfs (rw,nosuid,
nfsd on /proc/fs/nfsd type nfsd (rw)
rpc_pipefs on /var/lib/
localhost:/ on /mnt type nfs4 (rw,proto=
==
When running nfsv3
1. sudo mount -t nfs -o vers=3 localhost:/data/nfs /mnt
2. testing again
ubuntu@
Hello Ubuntu!
ubuntu@
/bin/bash: ./script.sh: Permission denied
ubuntu@
ubuntu@
/dev/sda1 on / type ext3 (rw)
proc on /proc type proc (rw,noexec,
none on /sys type sysfs (rw,noexec,
none on /sys/kernel/debug type debugfs (rw)
none on /sys/kernel/
none on /dev type devtmpfs (rw,mode=0755)
none on /dev/pts type devpts (rw,noexec,
none on /dev/shm type tmpfs (rw,nosuid,nodev)
none on /var/run type tmpfs (rw,nosuid,
none on /var/lock type tmpfs (rw,noexec,
none on /lib/init/rw type tmpfs (rw,nosuid,
nfsd on /proc/fs/nfsd type nfsd (rw)
rpc_pipefs on /var/lib/
localhost:/data/nfs on /mnt type nfs (rw,vers=
---
AlsaVersion: Advanced Linux Sound Architecture Driver Version 1.0.23.
AplayDevices: Error: [Errno 2] No such file or directory
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/by-path', '/dev/snd/
CRDA: Error: [Errno 2] No such file or directory
Card0.Amixer.info: Error: [Errno 2] No such file or directory
Card0.Amixer.
CurrentDmesg:
[ 3.585529] NFSD: Using /var/lib/
[ 3.585840] NFSD: starting 90-second grace period
[ 13.220124] eth0: no IPv6 routers present
DistroRelease: Ubuntu 11.04
HibernationDevice: RESUME=
IwConfig:
lo no wireless extensions.
eth0 no wireless extensions.
Lsusb: Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
MachineType: Bochs Bochs
Package: linux (not installed)
ProcEnviron:
LANGUAGE=en_US:
LANG=en_US
SHELL=/bin/bash
ProcKernelCmdLine: BOOT_IMAGE=
ProcVersionSign
RelatedPackageV
linux-
linux-
linux-firmware 1.52
RfKill:
Tags: natty
Uname: Linux 2.6.38-10-server x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
dmi.bios.date: 01/01/2007
dmi.bios.vendor: Bochs
dmi.bios.version: Bochs
dmi.chassis.type: 1
dmi.chassis.vendor: Bochs
dmi.modalias: dmi:bvnBochs:
dmi.product.name: Bochs
dmi.sys.vendor: Bochs
This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:
apport-collect 833300
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.
| Changed in linux (Ubuntu): | |
| status: | New → Incomplete |
| Leonardo Borda (lborda) wrote : AcpiTables.txt | #3 |
apport information
| tags: | added: apport-collected natty |
| description: | updated |
| Leonardo Borda (lborda) wrote : AlsaDevices.txt | #4 |
apport information
| Leonardo Borda (lborda) wrote : BootDmesg.txt | #5 |
apport information
| Leonardo Borda (lborda) wrote : Lspci.txt | #6 |
apport information
apport information
| Leonardo Borda (lborda) wrote : ProcCpuinfo.txt | #8 |
apport information
apport information
apport information
apport information
| Leonardo Borda (lborda) wrote : UdevDb.txt | #12 |
apport information
| Leonardo Borda (lborda) wrote : UdevLog.txt | #13 |
apport information
| Leonardo Borda (lborda) wrote : WifiSyslog.txt | #14 |
apport information
| Torsten Spindler (tspindler) wrote : | #15 |
There seems to be an upstream patch available in http://
| Changed in linux (Ubuntu): | |
| assignee: | nobody → Canonical Kernel Team (canonical-kernel-team) |
| status: | Incomplete → Triaged |
| Torsten Spindler (tspindler) wrote : | #16 |
I reproduced this problem per your setup on Ubuntu 10.04 LTS server and client. There nfs4 would not work (e.g. permission denied), but nfs3 works. However, on Oneiric as server neither nor works:
spindler@
spindler@
bash: /mnt-meteor/hello: Permission denied
spindler@
meteor:
| Torsten Spindler (tspindler) wrote : | #17 |
I've patched a Lucid kernel with the patch from your upstream bugreport:
https:/
and attached it here. While the execution of a binary works now, the execution of shell scripts and even the inspection of the script does work as well:
spindler@
---x--x--x 1 4294967294 4294967294 33 2011-09-14 08:53 /mnt/hello.sh
spindler@
Hello Leonardo
spindler@
#!/bin/sh
echo "Hello Leonardo"
spindler@
spitfire:/ on /mnt type nfs4 (rw,proto=
| Torsten Spindler (tspindler) wrote : | #18 |
Same problem with modified Oneiric kernel as server:
spindler@
total 24
drwxrwxr-x 2 spindler spindler 4096 2011-09-14 10:16 .
drwxr-xr-x 23 root root 4096 2011-09-14 08:49 ..
---x--x--x 1 spindler spindler 7139 2011-09-14 10:16 hello
-rw-rw-r-- 1 spindler spindler 99 2011-09-13 14:35 hello.c
---x--x--x 1 spindler spindler 33 2011-09-13 14:36 hello.sh
spindler@
Hello Leonardo
spindler@
Hello Leonardo
spindler@
meteor:/ on /mnt-meteor type nfs4 (rw,proto=
spindler@
| Leonardo Borda (lborda) wrote : | #19 |
Hello Torsten,
Same problem here.
The patch solves the binary file but now it also allows scripts to run
which is a security issue. I am reopening this bug with upstream. See the info below.
ubuntu@ubuntu:~$ sudo umount /mnt/
ubuntu@ubuntu:~$ sudo mount -t nfs4 -o proto=tcp,port=2049 ubuntu:/ /mnt
ubuntu@ubuntu:~$ uname -a
Linux ubuntu 2.6.32-34-generic #77~lp833300 SMP Wed Sep 14 11:10:49 CEST 2011
i686 i686 i386 GNU/Linux
ubuntu@ubuntu:~$ cd /mnt/
ubuntu@ubuntu:/mnt$ ls -la
total 24
drwxrwxrwx 2 4294967294 4294967294 4096 2011-09-21 16:25 .
drwxr-xr-x 22 root root 4096 2011-09-21 16:18 ..
-rw-r--r-- 1 4294967294 4294967294 72 2011-09-21 16:25 a.c
---x--x--x 1 4294967294 4294967294 7127 2011-09-21 16:25 a.out
---x--x--x 1 4294967294 4294967294 23 2011-09-21 16:20 b.sh
ubuntu@ubuntu:/mnt$ ./a.out
Hello C programming
ubuntu@ubuntu:/mnt$ ./b.sh
hello
ubuntu@ubuntu:/mnt$
Thank you in advance!
Leonardo
| Leonardo Borda (lborda) wrote : | #20 |
Hi Guys,
I got an answer from upstream and they actually filled another bug since it seems to be related to the client itself.
https:/
They will provide a patch so I can test it.
Leonardo
| Changed in linux (Ubuntu): | |
| importance: | Undecided → Medium |
| tags: | added: patch |
| Leonardo Borda (lborda) wrote : | #21 |
This is a note to let you know that developers have just added the patch titled
nfsd4: permit read opens of executable-only files
to the 3.0-stable tree which can be found at:
http://
The filename of the patch is:
nfsd4-
and it can be found in the queue-3.0 subdirectory.
commit a043226bc140a2c
| Changed in linux (Ubuntu): | |
| assignee: | Canonical Kernel Team (canonical-kernel-team) → Chris J Arges (christopherarges) |
| Chris J Arges (arges) wrote : | #22 |
I can reproduce this failure on natty/oneiric just fine.
I then applied the upstream patch (a043226bc140a2
After doing this I installed the tools on my laptop:
apt-get install nfs-common nfs-kernel-server
Then I setup of /etc/exports as described in the bug to a directory on my laptop (ext4).
/path/to/dir *(rw,sync,
I then had to insert the module and restart the server:
sudo modprobe nfs
sudo service nfs-kernel-server restart
I mounted the directory:
sudo mount -t nfs4 -o proto=tcp,port=2049 localhost:/ /mnt
I created a similar c program and compiled. I put this into the shared folder.
I could run it with normal permissions.
I then did 'chmod 111 ./a.out' and then I could not run the program (Permission denied) if I was doing it via the /mnt directory.
arges@arges-
total 24
drwxr-xr-x 2 4294967294 4294967294 4096 2011-11-17 10:12 .
drwxr-xr-x 22 root root 4096 2011-11-17 09:57 ..
---x--x--x 1 4294967294 4294967294 8425 2011-11-17 10:12 a.out
-rw-r--r-- 1 4294967294 4294967294 73 2011-11-17 10:12 hello.c
arges@arges-
-bash: ./a.out: Permission denied
arges@arges-
/dev/vda1 on / type ext4 (rw,errors=
<snip>
nfsd on /proc/fs/nfsd type nfsd (rw)
localhost:/ on /mnt type nfs (rw,vers=
I could run it if I wasn't running it over the nfsv4 share (sanity check):
arges@arges-
arges@arges-
total 24
drwxr-xr-x 2 arges arges 4096 2011-11-17 10:12 .
drwxr-xr-x 22 arges arges 4096 2011-11-17 10:10 ..
---x--x--x 1 arges arges 8425 2011-11-17 10:12 a.out
-rw-r--r-- 1 arges arges 73 2011-11-17 10:12 hello.c
arges@arges-
hello binary
| Leonardo Borda (lborda) wrote : | #23 |
Hi Chris,
Thanks for taking a look at this issue. So it looks like the upstream fix does not solve the issue. Could you please report this to upstream?
Leonardo
| Leonardo Borda (lborda) wrote : | #24 |
Hi Chris,
Thanks for taking a look at this issue. So it looks like the upstream patch does not solve the issue.
Could please write your findings on the thread below:
http://
Leonardo
| Chris J Arges (arges) wrote : | #25 |
@lborda,
I've responded that this does not solve the issue:
http://
| Changed in linux (Ubuntu): | |
| status: | Triaged → In Progress |
| Chris J Arges (arges) wrote : | #26 |
Using the above test setup, and trying various clients I see a mismatch:
Using a newer nfs client (nfs-common 1:1.2.2-4), I can read a file with 111 permissions, but cannot execute it.
With an older nfs client (nfs-common 1:1.2.0-4), I can read and execute a file with 111 permissions.
| Chris J Arges (arges) wrote : | #27 |
Contacted upstream nfsv4 maintainer about this. This may be an nfs-common / nfsv4 client issue.
| Chris J Arges (arges) wrote : | #28 |
Attached is the backport of a043226bc140a2c
| Chris J Arges (arges) wrote : | #29 |
Attached is the backport of a043226bc140a2c
| Chris J Arges (arges) wrote : | #30 |
SRU request sent to kernel mailing list.
| Changed in linux (Ubuntu): | |
| status: | In Progress → Fix Committed |
| Changed in linux (Ubuntu Natty): | |
| status: | New → Fix Committed |
| Changed in linux (Ubuntu Lucid): | |
| status: | New → Fix Committed |
| Tim Gardner (timg-tpi) wrote : | #31 |
rtg@lochsa:
Ubuntu-
| Changed in linux (Ubuntu Oneiric): | |
| status: | New → Fix Released |
| Changed in linux (Ubuntu Precise): | |
| status: | Fix Committed → Fix Released |
| Herton R. Krzesinski (herton) wrote : | #32 |
This bug is awaiting verification that the kernel for Natty in -proposed solves the problem (2.6.38-13.54). Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
| tags: | added: verification-needed-natty |
| Herton R. Krzesinski (herton) wrote : | #33 |
This bug is also awaiting verification that the kernel for Lucid in -proposed solves the problem (2.6.32-38.83). If the problem is solved, change the tag 'verification-
| tags: | added: verification-needed-lucid |
| tags: |
added: verification-done-lucid removed: verification-needed-lucid |
| Chris J Arges (arges) wrote : | #34 |
@herton
Cannot verify natty. It does not work with the latest nfs-common, and with the older nfs-common as identified in the bug.
| Changed in linux (Ubuntu Lucid): | |
| assignee: | nobody → Chris J Arges (christopherarges) |
| tags: |
added: verification-failed-natty removed: verification-needed-natty |
| Chris J Arges (arges) wrote : | #35 |
using a VM with natty -proposed running a server. and a VM with lucid -proposed running the client. The client can mount the directory and execute a binary with 111 permissions.
| Changed in linux (Ubuntu Natty): | |
| assignee: | nobody → Chris J Arges (christopherarges) |
| tags: |
added: verification-done-natty removed: verification-failed-natty |
| Leonardo Borda (lborda) wrote : | #36 |
@Chris and @herton!!
Thank you for your work!!!
Leonardo
| Launchpad Janitor (janitor) wrote : | #37 |
This bug was fixed in the package linux - 2.6.32-38.83
---------------
linux (2.6.32-38.83) lucid-proposed; urgency=low
[Herton R. Krzesinski]
* Release Tracking Bug
- LP: #911405
[ Upstream Kernel Changes ]
* Revert "clockevents: Set noop handler in clockevents_
- LP: #911392
* Linux 2.6.32.52
- LP: #911392
linux (2.6.32-38.82) lucid-proposed; urgency=low
[Herton R. Krzesinski]
* Release Tracking Bug
- LP: #910906
[ Tetsuo Handa ]
* SAUCE: netns: Add quota for number of NET_NS instances.
[ Tim Gardner ]
* [Config] CONFIG_NET_NS=y
- LP: #790863
[ Upstream Kernel Changes ]
* Revert "core: Fix memory leak/corruption on VLAN GRO_DROP,
CVE-2011-1576"
* hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops, CVE-2011-2203
- LP: #899466
- CVE-2011-2203
* net: ipv4: relax AF_INET check in bind()
- LP: #900396
* KEYS: Fix a NULL pointer deref in the user-defined key type,
CVE-2011-4110
- LP: #894369
- CVE-2011-4110
* i2c-algo-bit: Generate correct i2c address sequence for 10-bit target
- LP: #902317
* eCryptfs: Extend array bounds for all filename chars
- LP: #902317
* PCI hotplug: shpchp: don't blindly claim non-AMD 0x7450 device IDs
- LP: #902317
* ARM: 7161/1: errata: no automatic store buffer drain
- LP: #902317
* ALSA: lx6464es - fix device communication via command bus
- LP: #902317
* SUNRPC: Ensure we return EAGAIN in xs_nospace if congestion is cleared
- LP: #902317
* timekeeping: add arch_offset hook to ktime_get functions
- LP: #902317
* p54spi: Add missing spin_lock_init
- LP: #902317
* p54spi: Fix workqueue deadlock
- LP: #902317
* nl80211: fix MAC address validation
- LP: #902317
* gro: reset vlan_tci on reuse
- LP: #902317
* staging: usbip: bugfix for deadlock
- LP: #902317
* staging: comedi: fix oops for USB DAQ devices.
- LP: #902317
* Staging: comedi: fix signal handling in read and write
- LP: #902317
* USB: whci-hcd: fix endian conversion in qset_clear()
- LP: #902317
* usb: ftdi_sio: add PID for Propox ISPcable III
- LP: #902317
* usb: option: add SIMCom SIM5218
- LP: #902317
* USB: usb-storage: unusual_devs entry for Kingston DT 101 G2
- LP: #902317
* SCSI: scsi_lib: fix potential NULL dereference
- LP: #902317
* SCSI: Silencing 'killing requests for dead queue'
- LP: #902317
* cifs: fix cifs stable patch cifs-fix-
- LP: #902317
* sched, x86: Avoid unnecessary overflow in sched_clock
- LP: #902317
* x86/mpparse: Account for bus types other than ISA and PCI
- LP: #902317
* oprofile, x86: Fix crash when unloading module (nmi timer mode)
- LP: #902317
* genirq: Fix race condition when stopping the irq thread
- LP: #902317
* tick-broadcast: Stop active broadcast device when replacing it
- LP: #902317
* clockevents: Set noop handler in clockevents_
- LP: #902317
* Linux 2.6.32.50
- LP: #902317
* nfsd4: permit read opens of executable-only files
- LP: #833300
* ipv6: Allow inet6_dump_addr() to handle more t...
| Changed in linux (Ubuntu Lucid): | |
| status: | Fix Committed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #38 |
This bug was fixed in the package linux - 2.6.38-13.54
---------------
linux (2.6.38-13.54) natty-proposed; urgency=low
[Herton R. Krzesinski]
* Release Tracking Bug
- LP: #911195
[ Alex Bligh ]
* (config) Change Xen paravirt drivers to be built-in
- LP: #886521
[ Paolo Pisati ]
* [Config] DEFAULT_
- LP: #903346
[ Seth Forshee ]
* SAUCE: dell-wmi: Demote unknown WMI event message to pr_debug
- LP: #581312
[ Upstream Kernel Changes ]
* VFS: Fix vfsmount overput on simultaneous automount
- LP: #769927
* TPM: Zero buffer after copying to userspace, CVE-2011-1162
- LP: #899463
- CVE-2011-1162
* hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops, CVE-2011-2203
- LP: #899466
- CVE-2011-2203
* KEYS: Fix a NULL pointer deref in the user-defined key type,
CVE-2011-4110
- LP: #894369
- CVE-2011-4110
* nfsd4: permit read opens of executable-only files
- LP: #833300
* Support for Terratec G1
- LP: #821061
-- Herton Ronaldo Krzesinski <email address hidden> Tue, 03 Jan 2012 10:03:15 -0200
| Changed in linux (Ubuntu Natty): | |
| status: | Fix Committed → Fix Released |
| Changed in linux: | |
| importance: | Unknown → Medium |
| status: | Unknown → Confirmed |
| Julian Wiedmann (jwiedmann) wrote : | #39 |
This release has reached end-of-life [0].
| Changed in linux (Ubuntu Maverick): | |
| status: | New → Invalid |
| Changed in linux: | |
| status: | Confirmed → Fix Released |
I've opened an upstream bug as well.
https:/
Leonardo