Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

781

782

783

784

785

786

787

788

789

790

Administering a System: Managing System Security

Controlling Security on a Network

Chapter 8 787

ﬁle system without having logged into the server system. See “Managing

File Systems” on page 602 for more information. See also exports (4) for

further information on controlling access to exported ﬁle systems.

Server Vulnerability

Server security is maintained by setting restrictive permissions on the

ﬁle /etc/exports. Root privileges are not maintained across NFS. Thus,

having root privileges on a client system does not provide you with

special access to the server.

The server performs the same permission checking remotely for the

client as it does locally for its own users. The server side controls access

to server ﬁles by the client by comparing the user ID and group ID of the

client, which it receives via the network, with the user ID and group ID

of the server ﬁle. Checking occurs within the kernel.

A user with privileges on an NFS client can exploit that privilege to

obtain unlimited access to an NFS server. Never export any ﬁle system to

a node on which privilege is granted more leniently than from your own

node’s policy!

Client Vulnerability

In earlier releases of NFS for workstations, the /dev inode had to reside

on the client’s disk. NFS now allows for the /dev inode containing the

major and minor numbers of a client-mounted device to exist on the

server side. This opens the possibility for someone to create a Trojan

Horse that overrides permissions set on the client’s mounted device, by

accessing the device via the ﬁle and inode number found on the server

side.

Although lacking permission to make a device ﬁle on the client side, a

system violator wanting to sabotage the client can create an

undermining device ﬁle, such as /dev/kmem, using root permissions on

the server side. The new /dev ﬁle is created with the same major and

minor number as that of the target device on client side, but with the

following permissions: crw-rw-rw-.

The violator can then go to the client, log in as an ordinary user, and,

using NFS, open up the newly created server-side device ﬁle and use it

for devious means — to wipe out kernel memory on the server, read

contents of everyone’s processes, or other mischief.