On Thu, 2010-05-13 at 04:07 +0400, John Lepikhin wrote: > Package: nfs-common > Version: 1:1.1.2-6lenny1 > Severity: grave > Tags: security > Justification: user security hole > > > Some user is the member of group "secure". I created a directory on > NFS share with owner "otheruser", group owner "secure", permissions > 707 (rwx---rwx). > User can read this directory, but he is not "otheruser" and IS the > member of "secure" group. > > It seems to be a kernel bug.
That would make this a bug in the linux-2.6 package, not nfs-common. I am reassigning this, though I cannot reproduce this on 2.6.32-12. Note that NFS servers do not normally authenticate remote users; they rely on clients to provide correct uids and gids. Therefore it is the client-side group configuration you need to consider, not the server-side configuration. Please check that this is reproducible in a Debian-packaged kernel, and if so then please specify more about the user and group configuration. Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse.
signature.asc
Description: This is a digitally signed message part
