NFSv4 mount point does not allow binary files to run when permissions are set only to execute

I've opened an upstream bug as well.

https://bugzilla.linux-nfs.org/show_bug.cgi?id=201

Leonardo

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 833300

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

There seems to be an upstream patch available in http://marc.info/?l=linux-nfs&m=131428919915674&w=2

I reproduced this problem per your setup on Ubuntu 10.04 LTS server and client. There nfs4 would not work (e.g. permission denied), but nfs3 works. However, on Oneiric as server neither nor works:

spindler@spitfire:~$ sudo mount -t nfs -o vers=3 meteor:/home/spindler/export /mnt-meteor
spindler@spitfire:~$ /mnt-meteor/hello
bash: /mnt-meteor/hello: Permission denied
spindler@spitfire:~$ mount -v | grep mnt-meteor
meteor:/home/spindler/export on /mnt-meteor type nfs (rw,vers=3,addr=192.168.1.122)

I've patched a Lucid kernel with the patch from your upstream bugreport:
https://bugzilla.linux-nfs.org/show_bug.cgi?id=201
and attached it here. While the execution of a binary works now, the execution of shell scripts and even the inspection of the script does work as well:

spindler@spitfire:~$ ls -al /mnt/hello.sh
---x--x--x 1 4294967294 4294967294 33 2011-09-14 08:53 /mnt/hello.sh
spindler@spitfire:~$ /mnt/hello.sh
Hello Leonardo
spindler@spitfire:~$ cat /mnt/hello.sh
#!/bin/sh

echo "Hello Leonardo"
spindler@spitfire:~$ mount -v | grep mnt
spitfire:/ on /mnt type nfs4 (rw,proto=tcp,port=2049,clientaddr=127.0.1.1,addr=127.0.1.1)

Same problem with modified Oneiric kernel as server:

spindler@spitfire:/mnt-meteor$ ls -al
total 24
drwxrwxr-x 2 spindler spindler 4096 2011-09-14 10:16 .
drwxr-xr-x 23 root root 4096 2011-09-14 08:49 ..
---x--x--x 1 spindler spindler 7139 2011-09-14 10:16 hello
-rw-rw-r-- 1 spindler spindler 99 2011-09-13 14:35 hello.c
---x--x--x 1 spindler spindler 33 2011-09-13 14:36 hello.sh
spindler@spitfire:/mnt-meteor$ ./hello
Hello Leonardo
spindler@spitfire:/mnt-meteor$ ./hello.sh
Hello Leonardo
spindler@spitfire:/mnt-meteor$ mount -v | grep meteor
meteor:/ on /mnt-meteor type nfs4 (rw,proto=tcp,port=2049,clientaddr=192.168.1.141,addr=192.168.1.122)
spindler@spitfire:/mnt-meteor$

Hello Torsten,

Same problem here.
The patch solves the binary file but now it also allows scripts to run
which is a security issue. I am reopening this bug with upstream. See the info below.

ubuntu@ubuntu:~$ sudo umount /mnt/
ubuntu@ubuntu:~$ sudo mount -t nfs4 -o proto=tcp,port=2049 ubuntu:/ /mnt
ubuntu@ubuntu:~$ uname -a
Linux ubuntu 2.6.32-34-generic #77~lp833300 SMP Wed Sep 14 11:10:49 CEST 2011
i686 i686 i386 GNU/Linux
ubuntu@ubuntu:~$ cd /mnt/
ubuntu@ubuntu:/mnt$ ls -la
total 24
drwxrwxrwx 2 4294967294 4294967294 4096 2011-09-21 16:25 .
drwxr-xr-x 22 root root 4096 2011-09-21 16:18 ..
-rw-r--r-- 1 4294967294 4294967294 72 2011-09-21 16:25 a.c
---x--x--x 1 4294967294 4294967294 7127 2011-09-21 16:25 a.out
---x--x--x 1 4294967294 4294967294 23 2011-09-21 16:20 b.sh
ubuntu@ubuntu:/mnt$ ./a.out
Hello C programming
ubuntu@ubuntu:/mnt$ ./b.sh
hello
ubuntu@ubuntu:/mnt$

Thank you in advance!

Leonardo

Hi Guys,

I got an answer from upstream and they actually filled another bug since it seems to be related to the client itself.

https://bugzilla.linux-nfs.org/show_bug.cgi?id=204

They will provide a patch so I can test it.

Leonardo

This is a note to let you know that developers have just added the patch titled

   nfsd4: permit read opens of executable-only files

to the 3.0-stable tree which can be found at:
   http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
    nfsd4-permit-read-opens-of-executable-only-files.patch
and it can be found in the queue-3.0 subdirectory.

commit a043226bc140a2c1dde162246d68a67e5043e6b2 upstream.

I can reproduce this failure on natty/oneiric just fine.

I then applied the upstream patch (a043226bc140a2c1dde162246d68a67e5043e6b2), that was identified in the public bug and upstream bug.

After doing this I installed the tools on my laptop:
  apt-get install nfs-common nfs-kernel-server

Then I setup of /etc/exports as described in the bug to a directory on my laptop (ext4).
  /path/to/dir *(rw,sync,fsid=0,no_subtree_check)

I then had to insert the module and restart the server:
  sudo modprobe nfs
  sudo service nfs-kernel-server restart

I mounted the directory:
  sudo mount -t nfs4 -o proto=tcp,port=2049 localhost:/ /mnt

I created a similar c program and compiled. I put this into the shared folder.
I could run it with normal permissions.
I then did 'chmod 111 ./a.out' and then I could not run the program (Permission denied) if I was doing it via the /mnt directory.

arges@arges-virtual-machine:/mnt$ ls -la
total 24
drwxr-xr-x 2 4294967294 4294967294 4096 2011-11-17 10:12 .
drwxr-xr-x 22 root root 4096 2011-11-17 09:57 ..
---x--x--x 1 4294967294 4294967294 8425 2011-11-17 10:12 a.out
-rw-r--r-- 1 4294967294 4294967294 73 2011-11-17 10:12 hello.c
arges@arges-virtual-machine:/mnt$ ./a.out
-bash: ./a.out: Permission denied
arges@arges-virtual-machine:/mnt$ mount -v
/dev/vda1 on / type ext4 (rw,errors=remount-ro,commit=0)
<snip>
nfsd on /proc/fs/nfsd type nfsd (rw)
localhost:/ on /mnt type nfs (rw,vers=4,addr=127.0.0.1,clientaddr=127.0.0.1)

I could run it if I wasn't running it over the nfsv4 share (sanity check):

arges@arges-virtual-machine:/mnt$ cd ~/Test/
arges@arges-virtual-machine:~/Test$ ls -la
total 24
drwxr-xr-x 2 arges arges 4096 2011-11-17 10:12 .
drwxr-xr-x 22 arges arges 4096 2011-11-17 10:10 ..
---x--x--x 1 arges arges 8425 2011-11-17 10:12 a.out
-rw-r--r-- 1 arges arges 73 2011-11-17 10:12 hello.c
arges@arges-virtual-machine:~/Test$ ./a.out
hello binary

Hi Chris,

Thanks for taking a look at this issue. So it looks like the upstream fix does not solve the issue. Could you please report this to upstream?

Leonardo

Hi Chris,

Thanks for taking a look at this issue. So it looks like the upstream patch does not solve the issue.
Could please write your findings on the thread below:
http://comments.gmane.org/gmane.linux.nfs/43028

Leonardo

@lborda,
I've responded that this does not solve the issue:
http://comments.gmane.org/gmane.linux.nfs/43028

Using the above test setup, and trying various clients I see a mismatch:

Using a newer nfs client (nfs-common 1:1.2.2-4), I can read a file with 111 permissions, but cannot execute it.
With an older nfs client (nfs-common 1:1.2.0-4), I can read and execute a file with 111 permissions.

Contacted upstream nfsv4 maintainer about this. This may be an nfs-common / nfsv4 client issue.

Attached is the backport of a043226bc140a2c1dde162246d68a67e5043e6b2 for natty.

Attached is the backport of a043226bc140a2c1dde162246d68a67e5043e6b2 for lucid.

SRU request sent to kernel mailing list.

rtg@lochsa:~/ubuntu/ubuntu-oneiric$ git describe --contains 0b9653a06ba3e845386dc9f86d2d3fdebf7bb9db
Ubuntu-3.0.0-14.23~170

This bug is awaiting verification that the kernel for Natty in -proposed solves the problem (2.6.38-13.54). Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-natty' to 'verification-done-natty'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is also awaiting verification that the kernel for Lucid in -proposed solves the problem (2.6.32-38.83). If the problem is solved, change the tag 'verification-needed-lucid' to 'verification-done-lucid'.

@herton
Cannot verify natty. It does not work with the latest nfs-common, and with the older nfs-common as identified in the bug.

using a VM with natty -proposed running a server. and a VM with lucid -proposed running the client. The client can mount the directory and execute a binary with 111 permissions.

@Chris and @herton!!

Thank you for your work!!!

Leonardo

This bug was fixed in the package linux - 2.6.32-38.83

---------------
linux (2.6.32-38.83) lucid-proposed; urgency=low

  [Herton R. Krzesinski]

  * Release Tracking Bug
    - LP: #911405

  [ Upstream Kernel Changes ]

  * Revert "clockevents: Set noop handler in clockevents_exchange_device()"
    - LP: #911392
  * Linux 2.6.32.52
    - LP: #911392

linux (2.6.32-38.82) lucid-proposed; urgency=low

  [Herton R. Krzesinski]

  * Release Tracking Bug
    - LP: #910906

  [ Tetsuo Handa ]

  * SAUCE: netns: Add quota for number of NET_NS instances.

  [ Tim Gardner ]

  * [Config] CONFIG_NET_NS=y
    - LP: #790863

  [ Upstream Kernel Changes ]

  * Revert "core: Fix memory leak/corruption on VLAN GRO_DROP,
    CVE-2011-1576"
  * hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops, CVE-2011-2203
    - LP: #899466
    - CVE-2011-2203
  * net: ipv4: relax AF_INET check in bind()
    - LP: #900396
  * KEYS: Fix a NULL pointer deref in the user-defined key type,
    CVE-2011-4110
    - LP: #894369
    - CVE-2011-4110
  * i2c-algo-bit: Generate correct i2c address sequence for 10-bit target
    - LP: #902317
  * eCryptfs: Extend array bounds for all filename chars
    - LP: #902317
  * PCI hotplug: shpchp: don't blindly claim non-AMD 0x7450 device IDs
    - LP: #902317
  * ARM: 7161/1: errata: no automatic store buffer drain
    - LP: #902317
  * ALSA: lx6464es - fix device communication via command bus
    - LP: #902317
  * SUNRPC: Ensure we return EAGAIN in xs_nospace if congestion is cleared
    - LP: #902317
  * timekeeping: add arch_offset hook to ktime_get functions
    - LP: #902317
  * p54spi: Add missing spin_lock_init
    - LP: #902317
  * p54spi: Fix workqueue deadlock
    - LP: #902317
  * nl80211: fix MAC address validation
    - LP: #902317
  * gro: reset vlan_tci on reuse
    - LP: #902317
  * staging: usbip: bugfix for deadlock
    - LP: #902317
  * staging: comedi: fix oops for USB DAQ devices.
    - LP: #902317
  * Staging: comedi: fix signal handling in read and write
    - LP: #902317
  * USB: whci-hcd: fix endian conversion in qset_clear()
    - LP: #902317
  * usb: ftdi_sio: add PID for Propox ISPcable III
    - LP: #902317
  * usb: option: add SIMCom SIM5218
    - LP: #902317
  * USB: usb-storage: unusual_devs entry for Kingston DT 101 G2
    - LP: #902317
  * SCSI: scsi_lib: fix potential NULL dereference
    - LP: #902317
  * SCSI: Silencing 'killing requests for dead queue'
    - LP: #902317
  * cifs: fix cifs stable patch cifs-fix-oplock-break-handling-try-2.patch
    - LP: #902317
  * sched, x86: Avoid unnecessary overflow in sched_clock
    - LP: #902317
  * x86/mpparse: Account for bus types other than ISA and PCI
    - LP: #902317
  * oprofile, x86: Fix crash when unloading module (nmi timer mode)
    - LP: #902317
  * genirq: Fix race condition when stopping the irq thread
    - LP: #902317
  * tick-broadcast: Stop active broadcast device when replacing it
    - LP: #902317
  * clockevents: Set noop handler in clockevents_exchange_device()
    - LP: #902317
  * Linux 2.6.32.50
    - LP: #902317
  * nfsd4: permit read opens of executable-only files
    - LP: #833300
  * ipv6: Allow inet6_dump_addr() to handle more t...

This bug was fixed in the package linux - 2.6.38-13.54

---------------
linux (2.6.38-13.54) natty-proposed; urgency=low

  [Herton R. Krzesinski]

  * Release Tracking Bug
    - LP: #911195

  [ Alex Bligh ]

  * (config) Change Xen paravirt drivers to be built-in
    - LP: #886521

  [ Paolo Pisati ]

  * [Config] DEFAULT_MMAP_MIN_ADDR=32k on arm
    - LP: #903346

  [ Seth Forshee ]

  * SAUCE: dell-wmi: Demote unknown WMI event message to pr_debug
    - LP: #581312

  [ Upstream Kernel Changes ]

  * VFS: Fix vfsmount overput on simultaneous automount
    - LP: #769927
  * TPM: Zero buffer after copying to userspace, CVE-2011-1162
    - LP: #899463
    - CVE-2011-1162
  * hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops, CVE-2011-2203
    - LP: #899466
    - CVE-2011-2203
  * KEYS: Fix a NULL pointer deref in the user-defined key type,
    CVE-2011-4110
    - LP: #894369
    - CVE-2011-4110
  * nfsd4: permit read opens of executable-only files
    - LP: #833300
  * Support for Terratec G1
    - LP: #821061
 -- Herton Ronaldo Krzesinski <email address hidden> Tue, 03 Jan 2012 10:03:15 -0200

This release has reached end-of-life [0].

[0] https://wiki.ubuntu.com/Releases