Download Network File System (NFS)

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
Document related concepts

Cross-site scripting wikipedia , lookup

Distributed firewall wikipedia , lookup

Wireless security wikipedia , lookup

Computer security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Security and safety features new to Windows Vista wikipedia , lookup

Access control wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Mobile security wikipedia , lookup

Unix security wikipedia , lookup

Transcript 
Network File System (NFS)
Coleman Kane
[email protected]
March 2, 2015
Security Vulnerability Assessment
Netowrk File System – 1 / 8
Network File System (NFS)
Network File
System (NFS)
Components
Service Access
RPC Services
RPC Vulnerability:
statd & lockd
RPC Vulnerability:
statd SIGPIPE
Access Controls
One of the most common schemes for providing
network-based file shares within a network is NFS. The
protocol is ubiquitous and supported generally by every
UNIX-like variant, as well as being supported by operating
systems by Microsoft and Apple. The system provides a
system for permission management, as well as user and
role-based access controls. The protocol dates itself to the
1980’s, with the current version released in 2000 and an
update in 2010.
Security Vulnerability Assessment
Netowrk File System – 2 / 8
Components
Network File
System (NFS)
Components
Service Access
RPC Services
RPC Vulnerability:
statd & lockd
RPC Vulnerability:
statd SIGPIPE
Access Controls
Like many network servers, NFS is implemented as a suite
of function-specific components that together build a
functioning NFS implementation. This includes:
RPC services to provide service identification,
availability, and NFS file-locking
■ NFS daemon to provide the file access
■ Server configurations which define access controls and
what portions of the server to export
■
Security Vulnerability Assessment
Netowrk File System – 3 / 8
Service Access
Network File
System (NFS)
Components
Service Access
RPC Services
RPC Vulnerability:
statd & lockd
RPC Vulnerability:
statd SIGPIPE
Access Controls
In many cases, the following two components will be
network-attached services executing with root permissions
on the server.
RPC services
■ NFS Daemon
■
In the above, the RPC dependency would be considered
unituitive out-of-the-box, and as such can introduce an
unexpected vulnerability into the system.
Security Vulnerability Assessment
Netowrk File System – 4 / 8
RPC Services
Network File
System (NFS)
Components
Service Access
RPC Services
RPC Vulnerability:
statd & lockd
RPC Vulnerability:
statd SIGPIPE
Access Controls
In many NFS configurations, there are four RPC services
responsible for supporting the system:
port mapper Typically either rpcbind or portmap, this
service is running on a known port (111). NFS was
designed to publish itself to this system as a listening
service.
lock daemon Typically rpc.lockd, designed to manage
file-locking operations across the network mounts on
different clients.
stat daemon Works in tandem with lock daemon to
facilitate crash/reboot recovery
mount daemon Facilitates mount / unmount requests
(session management for NFS)
The above list is not comprehensive, and there exist other
services providing additional features as well.
Security Vulnerability Assessment
Netowrk File System – 5 / 8
RPC Vulnerability: statd & lockd
Network File
System (NFS)
Components
Service Access
RPC Services
RPC Vulnerability:
statd & lockd
RPC Vulnerability:
statd SIGPIPE
Access Controls
Both of these services are provided for supporting
additional features to clients. In most cases, clients will
support blocking lock operations if they are running. Buggy
versions of these tools can introduce vulnerabilities into the
system:
Client denial of service after crash or deadlock
■ Server-side unauthorized root access and even RCE
■
Apple OS X <= 10.6.6 has a good example in
CVE-2011-0183
Security Vulnerability Assessment
Netowrk File System – 6 / 8
RPC Vulnerability: statd SIGPIPE
Network File
System (NFS)
Components
Service Access
RPC Services
RPC Vulnerability:
statd & lockd
RPC Vulnerability:
statd SIGPIPE
Access Controls
In 2004, rpc.statd commonly installed on many UNIX
systems and Linux systems was identified to contain a
vulnerability where it incorrectly handled SIGPIPE.
PIPE signal is typically sent when a file handle is closed
outside the current process. It tells the current process that
the other end of the handle closed, such as the remote side
of connections.
Security Vulnerability Assessment
Netowrk File System – 7 / 8
Access Controls
Network File
System (NFS)
Components
Service Access
RPC Services
RPC Vulnerability:
statd & lockd
RPC Vulnerability:
statd SIGPIPE
Access Controls
Access control is managed through a text file named
/etc/exports. This file allows you to control many access
options.
Host-based (domain or IP) access control
■ Restrict to parts of filesystem hierarchy
■ Remapping of user Ids (prevent root access, etc.)
■
Security Vulnerability Assessment
Netowrk File System – 8 / 8
Related documents
Slide 1
Slide 1
Assessing vulnerability to climate change in South East Europe
Assessing vulnerability to climate change in South East Europe
photo.net Introduction - ADUni.org: ArsDigita University
photo.net Introduction - ADUni.org: ArsDigita University
Remember to use a large enough font
Remember to use a large enough font
Climate Change Impacts in the Context of Economic Globalization
Climate Change Impacts in the Context of Economic Globalization
Climate change vulnerability and adaptation research at TERI
Climate change vulnerability and adaptation research at TERI
Distributed Programming and Remote Procedure Calls
Distributed Programming and Remote Procedure Calls
Communication Chapter 2
Communication Chapter 2
Vulnerability Assessment
Vulnerability Assessment
Lab-5 Description
Lab-5 Description
Understanding RPC Efficiencies And The Cross-talks
Understanding RPC Efficiencies And The Cross-talks
Climate Change Vulnerability: Linking Impacts and Adaptation
Climate Change Vulnerability: Linking Impacts and Adaptation
Distributed (Operating) Systems -Architectures
Distributed (Operating) Systems -Architectures
Distributed NFS
Distributed NFS
Tuning and Optimizing Network File System Server Performance
Tuning and Optimizing Network File System Server Performance