>Number:         8884
>Category:       kern
>Synopsis:       Files aren't totally secure over NFS
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Nov 26 10:24:01 1999
>Last-Modified:
>Originator:     NoRM
>Organization:
Monochrome BBS
>Release:        1.4.1
>Environment:
NetBSD electron.mono.org 1.4.1 NetBSD 1.4.1 (MONO_CLIENT) #3: Fri Nov 12 20:40:09 GMT 1999 norm@lambda.mono.org:/files/src/sys/arch/sparc/compile/MONO_CLIENT sparc

>Description:
    When mounting an NFS filesystem under 1.4.1, it is sometimes possible
    to gain more information than should be possible  (looks cache related).

    For example:
    > amf@le> ls -ld /mono/u1/norm/help
    > ls: help: Permission denied

    (user with permission to access those files does so)

    > amf@le> ls -ld /mono/u1/norm/help
    > drwxr-x---  11 norm  mono  512 Nov 12 11:17 /mono/u1/norm/help/
    > amf@le> ls -ld /mono/u1/norm/help/help.mn
    > -rw-r-----  1 norm  mono  768 Feb  8  1999 /mono/u1/norm/help/help.mn

    The user amf in this case is not a member of group 'mono' so shouldn't
    be able to do that.  As was shown earlier.


>How-To-Repeat:
    Export a filesystem (mine is from a 1.3.2 box).  Do the following as 
    user1:

	% mkdir test
	% cd test
	% mkdir bob
	% chmod 700 . bob
	% echo ok > bob/jim
	% chmod 444 bob/jim

    Mount this on a 1.4.1 client machine, and do the following:

	# mount server:/filesystem /mnt
	# su user2
	% cd /mnt ; ls -la test/bob/jim
	ls: test/bob/jim: Permission denied
	% cat test/bob/jim
	cat: test/bob/jim: Permission denied
	% exit
	# su user1 
	% cd /mnt ; cat test/bob/jim
	ok
	% exit
	# su user2
	% cat test/bob/jim
	ok

>Fix:
    I, personally speaking, have no idea!  :)
>Audit-Trail:
>Unformatted: