View previous topic :: View next topic |
Author |
Message |
dman777 Veteran
Joined: 10 Jan 2007 Posts: 1004
|
Posted: Sat Jun 22, 2013 6:49 pm Post subject: NFS4 Client- /var/lib/nfs owned by root causes exploitation? |
|
|
Something was pegging my HD(from the HD light). I have a KVM Gentoo Guest that uses Subsonic streaming software to stream music to my phone. I use a NFS v4 mount to use my music collection on my Gentoo host. When I cut the nfs daemon on the host, the pegging on the HD light stopped.
I noticed in the logs on the KVM guest there was a message from subsonic stated that NFS rpstat.d is running as root and chown /var/lib/nfs to change this. So I did a chwon subsonic_user.subsonic_user to /var/lib/nfs and the HD pegging(the light) seem to stop once I rebooted.
What kind of venerability is there when the rpstat.d shows that it is running as root and to chown /var/lib/nfs to change this?
And is there anything that I can check from when /var/lib/nfs was owned by root to make sure my host and my guest wasn't exploited? |
|
Back to top |
|
|
TomWij Retired Dev
Joined: 04 Jul 2012 Posts: 1553
|
Posted: Sat Jun 22, 2013 7:34 pm Post subject: Re: NFS4 Client- /var/lib/nfs owned by root causes exploitat |
|
|
dman777 wrote: | Something was pegging my HD(from the HD light). |
In general, you can inspect that with iotop as root from the package sys-process/iotop.
dman777 wrote: | When I cut the nfs daemon on the host, the pegging on the HD light stopped. |
Though this should make it clear it is the NFS daemon. However, one wonders if it happens locally or is a result of the network; what happens if you disconnect the computer from the network?
dman777 wrote: | I noticed in the logs on the KVM guest there was a message from subsonic stated that NFS rpstat.d is running as root and chown /var/lib/nfs to change this. So I did a chwon subsonic_user.subsonic_user to /var/lib/nfs and the HD pegging(the light) seem to stop once I rebooted. What kind of venerability is there when the rpstat.d shows that it is running as root and to chown /var/lib/nfs to change this? |
Services are usually not run on root to prevent any vulnerability in the software from being exploited; not all vulnerabilities are known, and those that are known may be exploited if you don't update NFS in time. Software isn't perfect...
dman777 wrote: | And is there anything that I can check from when /var/lib/nfs was owned by root to make sure my host and my guest wasn't exploited? |
Only if you have some means to track it in terms in metadata of the changes; the easiest ways would be logs, but assuming those are likely disabled by default you could look at modification times with `find -mtime ...` (see its man page on which number to specify in place of ...) and if you have enabled access times you could try `find -atime ...` as well. |
|
Back to top |
|
|
dman777 Veteran
Joined: 10 Jan 2007 Posts: 1004
|
Posted: Sun Jun 23, 2013 1:47 am Post subject: Re: NFS4 Client- /var/lib/nfs owned by root causes exploitat |
|
|
dman777 wrote: | I noticed in the logs on the KVM guest there was a message from subsonic stated that NFS rpstat.d is running as root and chown /var/lib/nfs to change this. So I did a chwon subsonic_user.subsonic_user to /var/lib/nfs and the HD pegging(the light) seem to stop once I rebooted. What kind of venerability is there when the rpstat.d shows that it is running as root and to chown /var/lib/nfs to change this? |
Quote: |
Services are usually not run on root to prevent any vulnerability in the software from being exploited; not all vulnerabilities are known, and those that are known may be exploited if you don't update NFS in time. Software isn't perfect...
|
That is the strange thing...I have subsonic running as non root(subsonic_user). It, I guess as a complementary service, it let me know in messages that rpc.statd was running as root and to chown /var/lib/nfs to fix this. When starting rpstat.d from /etc/init.d/rpc.statd from sysVinit, shouldn't that be taken care of automatically? How come in all the docs I read it doesn't state that /var/lib/nfs should not be owned by root? |
|
Back to top |
|
|
TomWij Retired Dev
Joined: 04 Jul 2012 Posts: 1553
|
Posted: Sun Jun 23, 2013 7:17 am Post subject: |
|
|
I suppose because it works that way, but something working is not secure; I guess having NFS run as root makes it easier to use it, as to not have to explicitly have to set better permissions. |
|
Back to top |
|
|
dman777 Veteran
Joined: 10 Jan 2007 Posts: 1004
|
Posted: Mon Jun 24, 2013 12:07 am Post subject: |
|
|
After changes, I caught the hard drive being pegged again:
Code: | 1288 be/3 root 0.00 B 0.00 B 0.00 % 58.76 % [jbd2/sda8-8]
5895 be/4 kvmuser 0.00 B 16.00 K 0.00 % 13.04 % qemu-kvm ~=no -m 512"
|
Code: | localhost four # df /dev/sda8
Filesystem Size Used Avail Use% Mounted on
/dev/sda8 51G 46G 1.7G 97% /kvm_guests
localhost four #
|
That kvmuser owned process is my subsonic guest. This iotop is from the KVM host. This is freaking me out. What could be causing this? I changed all the passwords to the Subsonic Gentoo KVM guest. |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Mon Jun 24, 2013 12:37 am Post subject: |
|
|
Maybe it's trying to do something harmless but dumb like index all your media files? |
|
Back to top |
|
|
|