Affected releases:
- Lucid, Natty when running NFSv4
One cannot run binary files when permissions are set to ---x--x--x on systems running NFSv4.
Expected behaviour:
- Allow binaries to run by just having --x (execute) permissions. This works when the mount point is created using NFSv3. According to the literature if it is a binary it makes an exec() call to the kernel therefore you don't need to have (read) permissions on the file.
PS: Scripts run as expected when they have the following r-x permissions. Since scripts have to pass by an interpreter ( perl, bash ) they do need to have (read and exec) permissions.
Steps to reproduce
1. Install nfs
2. configure /etc/export
/data/nfs *(rw,fsid=0,sync,no_subtree_check)
3. Mount using nfsv4
sudo mount -t nfs4 -o proto=tcp,port=2049 localhost:/ /mnt
ubuntu@ip-10-194-34-180:/mnt$ mount -v
/dev/sda1 on / type ext3 (rw)
proc on /proc type proc (rw,noexec,nosuid,nodev)
none on /sys type sysfs (rw,noexec,nosuid,nodev)
none on /sys/kernel/debug type debugfs (rw)
none on /sys/kernel/security type securityfs (rw)
none on /dev type devtmpfs (rw,mode=0755)
none on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
none on /dev/shm type tmpfs (rw,nosuid,nodev)
none on /var/run type tmpfs (rw,nosuid,mode=0755)
none on /var/lock type tmpfs (rw,noexec,nosuid,nodev)
none on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
nfsd on /proc/fs/nfsd type nfsd (rw)
rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
localhost:/ on /mnt type nfs4 (rw,proto=tcp,port=2049,clientaddr=127.0.0.1,addr=127.0.0.1)
==
When running nfsv3
1. sudo mount -t nfs -o vers=3 localhost:/data/nfs /mnt
ubuntu@ip-10-194-34-180:~$ mount -v
/dev/sda1 on / type ext3 (rw)
proc on /proc type proc (rw,noexec,nosuid,nodev)
none on /sys type sysfs (rw,noexec,nosuid,nodev)
none on /sys/kernel/debug type debugfs (rw)
none on /sys/kernel/security type securityfs (rw)
none on /dev type devtmpfs (rw,mode=0755)
none on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
none on /dev/shm type tmpfs (rw,nosuid,nodev)
none on /var/run type tmpfs (rw,nosuid,mode=0755)
none on /var/lock type tmpfs (rw,noexec,nosuid,nodev)
none on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
nfsd on /proc/fs/nfsd type nfsd (rw)
rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
localhost:/data/nfs on /mnt type nfs (rw,vers=3,addr=127.0.0.1)
Affected releases:
- Lucid, Natty when running NFSv4
One cannot run binary files when permissions are set to ---x--x--x on systems running NFSv4.
Expected behaviour:
- Allow binaries to run by just having --x (execute) permissions. This works when the mount point is created using NFSv3. According to the literature if it is a binary it makes an exec() call to the kernel therefore you don't need to have (read) permissions on the file.
PS: Scripts run as expected when they have the following r-x permissions. Since scripts have to pass by an interpreter ( perl, bash ) they do need to have (read and exec) permissions.
Steps to reproduce
1. Install nfs 0,sync, no_subtree_ check)
2. configure /etc/export
/data/nfs *(rw,fsid=
3. Mount using nfsv4
sudo mount -t nfs4 -o proto=tcp,port=2049 localhost:/ /mnt
4. cd /mnt ip-10-194- 34-180: /mnt$ ./a.out ip-10-194- 34-180: /mnt$ ./script.sh
ls -la a.out script.sh
---x--x--x 1 ubuntu ubuntu 8461 2011-08-24 17:59 a.out
---x--x--x 1 ubuntu ubuntu 27 2011-08-24 17:58 script.sh
5. running binary and script
ubuntu@
-bash: ./a.out: Permission denied
ubuntu@
-bash: ./script.sh: Permission denied
ubuntu@ ip-10-194- 34-180: /mnt$ mount -v nosuid, nodev) nosuid, nodev) security type securityfs (rw) nosuid, gid=5,mode= 0620) mode=0755) nosuid, nodev) mode=0755) nfs/rpc_ pipefs type rpc_pipefs (rw) tcp,port= 2049,clientaddr =127.0. 0.1,addr= 127.0.0. 1)
/dev/sda1 on / type ext3 (rw)
proc on /proc type proc (rw,noexec,
none on /sys type sysfs (rw,noexec,
none on /sys/kernel/debug type debugfs (rw)
none on /sys/kernel/
none on /dev type devtmpfs (rw,mode=0755)
none on /dev/pts type devpts (rw,noexec,
none on /dev/shm type tmpfs (rw,nosuid,nodev)
none on /var/run type tmpfs (rw,nosuid,
none on /var/lock type tmpfs (rw,noexec,
none on /lib/init/rw type tmpfs (rw,nosuid,
nfsd on /proc/fs/nfsd type nfsd (rw)
rpc_pipefs on /var/lib/
localhost:/ on /mnt type nfs4 (rw,proto=
==
When running nfsv3
1. sudo mount -t nfs -o vers=3 localhost:/data/nfs /mnt
2. testing again ip-10-194- 34-180: /mnt$ ./a.out ip-10-194- 34-180: /mnt$ ./script.sh ip-10-194- 34-180: /mnt$
ubuntu@
Hello Ubuntu!
ubuntu@
/bin/bash: ./script.sh: Permission denied
ubuntu@
ubuntu@ ip-10-194- 34-180: ~$ mount -v nosuid, nodev) nosuid, nodev) security type securityfs (rw) nosuid, gid=5,mode= 0620) mode=0755) nosuid, nodev) mode=0755) nfs/rpc_ pipefs type rpc_pipefs (rw) 3,addr= 127.0.0. 1)
/dev/sda1 on / type ext3 (rw)
proc on /proc type proc (rw,noexec,
none on /sys type sysfs (rw,noexec,
none on /sys/kernel/debug type debugfs (rw)
none on /sys/kernel/
none on /dev type devtmpfs (rw,mode=0755)
none on /dev/pts type devpts (rw,noexec,
none on /dev/shm type tmpfs (rw,nosuid,nodev)
none on /var/run type tmpfs (rw,nosuid,
none on /var/lock type tmpfs (rw,noexec,
none on /lib/init/rw type tmpfs (rw,nosuid,
nfsd on /proc/fs/nfsd type nfsd (rw)
rpc_pipefs on /var/lib/
localhost:/data/nfs on /mnt type nfs (rw,vers=