Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
NFS4 Client- /var/lib/nfs owned by root causes exploitation?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
dman777
l33t
l33t


Joined: 10 Jan 2007
Posts: 737

PostPosted: Sat Jun 22, 2013 6:49 pm    Post subject: NFS4 Client- /var/lib/nfs owned by root causes exploitation? Reply with quote

Something was pegging my HD(from the HD light). I have a KVM Gentoo Guest that uses Subsonic streaming software to stream music to my phone. I use a NFS v4 mount to use my music collection on my Gentoo host. When I cut the nfs daemon on the host, the pegging on the HD light stopped.

I noticed in the logs on the KVM guest there was a message from subsonic stated that NFS rpstat.d is running as root and chown /var/lib/nfs to change this. So I did a chwon subsonic_user.subsonic_user to /var/lib/nfs and the HD pegging(the light) seem to stop once I rebooted.

What kind of venerability is there when the rpstat.d shows that it is running as root and to chown /var/lib/nfs to change this?

And is there anything that I can check from when /var/lib/nfs was owned by root to make sure my host and my guest wasn't exploited?
Back to top
View user's profile Send private message
TomWij
Developer
Developer


Joined: 04 Jul 2012
Posts: 1352

PostPosted: Sat Jun 22, 2013 7:34 pm    Post subject: Re: NFS4 Client- /var/lib/nfs owned by root causes exploitat Reply with quote

dman777 wrote:
Something was pegging my HD(from the HD light).


In general, you can inspect that with iotop as root from the package sys-process/iotop.

dman777 wrote:
When I cut the nfs daemon on the host, the pegging on the HD light stopped.


Though this should make it clear it is the NFS daemon. However, one wonders if it happens locally or is a result of the network; what happens if you disconnect the computer from the network?

dman777 wrote:
I noticed in the logs on the KVM guest there was a message from subsonic stated that NFS rpstat.d is running as root and chown /var/lib/nfs to change this. So I did a chwon subsonic_user.subsonic_user to /var/lib/nfs and the HD pegging(the light) seem to stop once I rebooted. What kind of venerability is there when the rpstat.d shows that it is running as root and to chown /var/lib/nfs to change this?


Services are usually not run on root to prevent any vulnerability in the software from being exploited; not all vulnerabilities are known, and those that are known may be exploited if you don't update NFS in time. Software isn't perfect...

dman777 wrote:
And is there anything that I can check from when /var/lib/nfs was owned by root to make sure my host and my guest wasn't exploited?


Only if you have some means to track it in terms in metadata of the changes; the easiest ways would be logs, but assuming those are likely disabled by default you could look at modification times with `find -mtime ...` (see its man page on which number to specify in place of ...) and if you have enabled access times you could try `find -atime ...` as well.
Back to top
View user's profile Send private message
dman777
l33t
l33t


Joined: 10 Jan 2007
Posts: 737

PostPosted: Sun Jun 23, 2013 1:47 am    Post subject: Re: NFS4 Client- /var/lib/nfs owned by root causes exploitat Reply with quote

dman777 wrote:
I noticed in the logs on the KVM guest there was a message from subsonic stated that NFS rpstat.d is running as root and chown /var/lib/nfs to change this. So I did a chwon subsonic_user.subsonic_user to /var/lib/nfs and the HD pegging(the light) seem to stop once I rebooted. What kind of venerability is there when the rpstat.d shows that it is running as root and to chown /var/lib/nfs to change this?

Quote:

Services are usually not run on root to prevent any vulnerability in the software from being exploited; not all vulnerabilities are known, and those that are known may be exploited if you don't update NFS in time. Software isn't perfect...





That is the strange thing...I have subsonic running as non root(subsonic_user). It, I guess as a complementary service, it let me know in messages that rpc.statd was running as root and to chown /var/lib/nfs to fix this. When starting rpstat.d from /etc/init.d/rpc.statd from sysVinit, shouldn't that be taken care of automatically? How come in all the docs I read it doesn't state that /var/lib/nfs should not be owned by root?
Back to top
View user's profile Send private message
TomWij
Developer
Developer


Joined: 04 Jul 2012
Posts: 1352

PostPosted: Sun Jun 23, 2013 7:17 am    Post subject: Reply with quote

I suppose because it works that way, but something working is not secure; I guess having NFS run as root makes it easier to use it, as to not have to explicitly have to set better permissions.
Back to top
View user's profile Send private message
dman777
l33t
l33t


Joined: 10 Jan 2007
Posts: 737

PostPosted: Mon Jun 24, 2013 12:07 am    Post subject: Reply with quote

After changes, I caught the hard drive being pegged again:

Code:
 1288 be/3 root          0.00 B      0.00 B  0.00 % 58.76 % [jbd2/sda8-8]
 5895 be/4 kvmuser       0.00 B     16.00 K  0.00 % 13.04 % qemu-kvm ~=no -m 512"


Code:
localhost four # df /dev/sda8
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda8        51G   46G  1.7G  97% /kvm_guests
localhost four #


That kvmuser owned process is my subsonic guest. This iotop is from the KVM host. This is freaking me out. What could be causing this? I changed all the passwords to the Subsonic Gentoo KVM guest.
Back to top
View user's profile Send private message
Ant P.
Advocate
Advocate


Joined: 18 Apr 2009
Posts: 2207
Location: UK

PostPosted: Mon Jun 24, 2013 12:37 am    Post subject: Reply with quote

Maybe it's trying to do something harmless but dumb like index all your media files?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum