Adding NFS shares with GUI has scary behavior when a folder has spaces between words

Bug #183442 reported by Termina on 2008-01-16
256
Affects Status Importance Assigned to Milestone
nfs-utils (Ubuntu)
Low
Unassigned

Bug Description

Create a 'Shared' folder in /home/username
Create a 'Shared 192.168.1.100' folder in /home/username

Right click 'Shared' and go to 'Share Folder'. Add a NFS share with no allowed IP addresses.
Right click 'Shared 192.168.1.100'. Add a NFS share with no allowed IP addresses.

Go to 'System' - 'Administration' - 'Shared Folders'

You will now see only one share, '/home/will/Shared', that allows 192.168.1.100 to access this folder.

This does change the /etc/exports file, and I believe it may be a security vulnerability.

Doing this with a folder with three words (two spaces) adds each word after the space to hosts allowed to access (read-only) the share.

Seems like it would be important for users to share a folder with spaces in it, especially for everyday desktop use.

Derek Morton (derek-morton) wrote :

I can also confirm this.

A slightly educated guess would hypothesize that the GUI doesn't like the backslashes that are needed in the path, because when the needed backslash is manually added to /etc/exports, the 'Shared Folders' GUI comes up with an error when trying to view the properties for the share saying that the folder cannot be found. After closing the error dialog box and the properties box, the share is changed to '/home/username' with the same properties as the intended folder.

The above stated behavior also occurs when a folder is added just using the 'Shared Folders' dialog.

Derek Morton (derek-morton) wrote :

Just more information to add to my previous post, I reproduced the steps on Ubuntu 7.10 with the most current updates. I'm unsure how other versions would be affected.

Derek Morton (derek-morton) wrote :

It may also be related to this bug:

Mounting NFS share from fstab fails with escaped character in directory name

https://bugs.launchpad.net/ubuntu/+bug/157933

Changed in nfs-utils:
status: New → Confirmed
Kees Cook (kees) on 2009-04-16
Changed in nfs-utils (Ubuntu):
importance: Undecided → Low
Steve Langasek (vorlon) wrote :

Thank you for taking the time to report this issue and help to improve Ubuntu.

In Ubuntu 8.04 and above, there is no GUI interface for sharing folders over NFS, so I'm closing this bug as invalid.

Also, if there were such an interface, the bug would lie in that tool, not in nfs-utils where this bug has been assigned; /etc/exports does support quoted strings as a means of exporting directory names that contain spaces.

Changed in nfs-utils (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers