NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
HUGE SECURITY HOLE!! /homes is nfs exported to WORLD!!!
This is an advisory for a HUGE SECURITY HOLE!!!
This issue will affect any user that may be using ReadyNAS on a routed Internet network (as opposed to NAT) where there may be the very real possibility of an insufficient firewall to protect nfs/UDP traffic.
I have confirmed that this problem exists on:
Model: ReadyNAS Ultra 4 Plus [X-RAID2]
Serial: 2HU2130W00320
Firmware: RAIDiator 4.2.17
Memory: 1024 MB [DDR2]
I was running some nfs tests and ran into the often posted issue of dealing with nfs to mount /homes. I found that I couldn't use rsync to copy to/from any user /home dir so I found it necessary to nfs mount /homes on my Solaris system in order to perform the backups that I needed. Of course I ran into the root_squash problem which made it impossible to reliably backup user directories from my Solaris machine to the ReadyNAS when there were non-user owned files in the various user directories. So I installed the SSH add-on and proceeded to look at the /etc/exports file on the ReadyNAS and found the following configuration for the /homes export:
# more exports
"/backup" host1(insecure,insecure_locks,rw,no_root_squash,sync)
"/media" host1(insecure,insecure_locks,rw,no_root_squash,async)
"/vault" host1(insecure,insecure_locks,rw,no_root_squash,sync)
"/homes" *(insecure,insecure_locks,rw,sync)
# exportfs -v
/c/backup host1(rw,wdelay,insecure,no_root_squash,no_subtree_check,insecure_locks)
/c/media host1(rw,async,wdelay,insecure,no_root_squash,no_subtree_check,insecure_locks)
/c/vault host1(rw,wdelay,insecure,no_root_squash,no_subtree_check,insecure_locks)
/c/home <world>(rw,wdelay,insecure,root_squash,no_subtree_check,insecure_locks)
The various other shares were limited to 'host1' but the /homes entry was just '*' !!
At first I didn't believe what I was seeing and thought that perhaps the ReadyNAS was using hosts.allow/hosts.deny to limit nfs access to the local network which is an ok but not great approach. Unfortunately looking at those files revealed no filtering at all!!
OK, perhaps there are some ipfilters defined that I haven't found - but nope none there!
So, to confirm that there appeared to be NO SECURITY limits for /homes, I just attempted to mount /homes on another Unix box outside the local network and presto - /homes mounted - :evil:
This level of security hole is nothing short of UNBELIEVABLE
As has been noted in other posts - Frontview does not yet provide support for limiting nfs access to /homes shares which was considered to be a minor annoyance but I can now confirm that if 'Export home shares over NFS' is enabled then the /homes tree can be mounted by any host!
This security problem can be alleviated by using the SSH add-on (thank you for this great feature!) and modifying the /etc/exports file to replace the '*' with the hostname that you want to restrict nfs access to the /homes tree however, as SSH access is a geek-level add-on feature, any user that is using just the Frontview web interface will be blissfully unaware of this HUGE security hole!
I hope that Netgear will take quick and immediate steps to release an Update to RAIDiator as soon as possible so that the same NFS and Rsync security can be applied to the /homes user shares as all other general shares on the ReadyNAS. Actually it would sure be nice if the /homes share was added to the Share Listing page so that it can easily be found and managed the same way all of the other shares are managed through a common interface.
Overall, with the exception of this security hole I am impressed with the ReadyNAS product and I am looking forward to integrating into my networks as it has shown to have a very full set of features and works well in a heterogeneous computing environment.
---
Bob
This issue will affect any user that may be using ReadyNAS on a routed Internet network (as opposed to NAT) where there may be the very real possibility of an insufficient firewall to protect nfs/UDP traffic.
I have confirmed that this problem exists on:
Model: ReadyNAS Ultra 4 Plus [X-RAID2]
Serial: 2HU2130W00320
Firmware: RAIDiator 4.2.17
Memory: 1024 MB [DDR2]
I was running some nfs tests and ran into the often posted issue of dealing with nfs to mount /homes. I found that I couldn't use rsync to copy to/from any user /home dir so I found it necessary to nfs mount /homes on my Solaris system in order to perform the backups that I needed. Of course I ran into the root_squash problem which made it impossible to reliably backup user directories from my Solaris machine to the ReadyNAS when there were non-user owned files in the various user directories. So I installed the SSH add-on and proceeded to look at the /etc/exports file on the ReadyNAS and found the following configuration for the /homes export:
# more exports
"/backup" host1(insecure,insecure_locks,rw,no_root_squash,sync)
"/media" host1(insecure,insecure_locks,rw,no_root_squash,async)
"/vault" host1(insecure,insecure_locks,rw,no_root_squash,sync)
"/homes" *(insecure,insecure_locks,rw,sync)
# exportfs -v
/c/backup host1(rw,wdelay,insecure,no_root_squash,no_subtree_check,insecure_locks)
/c/media host1(rw,async,wdelay,insecure,no_root_squash,no_subtree_check,insecure_locks)
/c/vault host1(rw,wdelay,insecure,no_root_squash,no_subtree_check,insecure_locks)
/c/home <world>(rw,wdelay,insecure,root_squash,no_subtree_check,insecure_locks)
The various other shares were limited to 'host1' but the /homes entry was just '*' !!
At first I didn't believe what I was seeing and thought that perhaps the ReadyNAS was using hosts.allow/hosts.deny to limit nfs access to the local network which is an ok but not great approach. Unfortunately looking at those files revealed no filtering at all!!
OK, perhaps there are some ipfilters defined that I haven't found - but nope none there!
So, to confirm that there appeared to be NO SECURITY limits for /homes, I just attempted to mount /homes on another Unix box outside the local network and presto - /homes mounted - :evil:
This level of security hole is nothing short of UNBELIEVABLE
As has been noted in other posts - Frontview does not yet provide support for limiting nfs access to /homes shares which was considered to be a minor annoyance but I can now confirm that if 'Export home shares over NFS' is enabled then the /homes tree can be mounted by any host!
This security problem can be alleviated by using the SSH add-on (thank you for this great feature!) and modifying the /etc/exports file to replace the '*' with the hostname that you want to restrict nfs access to the /homes tree however, as SSH access is a geek-level add-on feature, any user that is using just the Frontview web interface will be blissfully unaware of this HUGE security hole!
I hope that Netgear will take quick and immediate steps to release an Update to RAIDiator as soon as possible so that the same NFS and Rsync security can be applied to the /homes user shares as all other general shares on the ReadyNAS. Actually it would sure be nice if the /homes share was added to the Share Listing page so that it can easily be found and managed the same way all of the other shares are managed through a common interface.
Overall, with the exception of this security hole I am impressed with the ReadyNAS product and I am looking forward to integrating into my networks as it has shown to have a very full set of features and works well in a heterogeneous computing environment.
---
Bob
9 Replies
Replies have been turned off for this discussion
- Is this like this on a NAS out of the box? I have checked my exports file and I don't have there any share for 'home'.
Only for 'media' and 'backup' - It must first be enabled in "Security >> Users & Groups >> Preferences"
- So if this is really the case -I mean there is a security gap- then I suppose you should submit an official ticket to Netgear.
- I've passed this along for review.
As mentioned, it is not on by default. Best scenario also mentioned is to file a feature enhancement request with support, where future firmware could possibly give more Hostname Access control/etc for Home shares. - This is still a massive issue. What is the status of this?
I also note that even if you modify /etc/exports to restrict homes by IP, you can still access a home directory remotely via SMB if it is mounted somewhere on the network via NFS. WTF!!! - What version of RAIDiator are you running acbot? Have you contacted NetGear tech support as suggested?
Why are you surprised that editing NFS permissions has no impact on Samba? Samba permissions are completely separate to NFS permissions. /etc/exports only has the permissions for NFS access to shares.
Samba permissions are in /etc/samba/smb.conf
Take a look at the [homes] section and comment out/edit the following line:
valid users = %S,"admin","Administrator"
Note that commenting out the samba settings for home shares may stop home shares from being created automatically. - Raidiator 4.1.8
I appreciate NFS permissions aren't related to SMB permissions. To enable NFS I have to set 'private home shares for users' to 'enabled' under 'security > users & groups > preferences'. This is what turns SMB home sharing on and off. Why is this a prerequisite to use NFS? And why isn't there a warning in giant letters saying that if you enable 'private home shares for users' that they aren't really private at all.
I commented out everything under [homes] in smb.conf and smb is now doing what I want but this should be the default position not something I have to SSH into a box to change. Talk about violating the principle of least astonishment. - If I understand this post, then to use NFS and not share my NAS with the world I need to replace the "*" in the /etc/export file with the IP address of the other UNIX box. Something like 192.168.1.xxx of the other computer.
But what do I do if that IP address is not stable and changes each time that computer is powered up? Do I use the UID of 501, something else or are there additional changes that need to be made?
Thanks for your help.
Edit: Are there setting in FrontView I should also be setting? JosephAE wrote:
But what do I do if that IP address is not stable and changes each time that computer is powered up?
Either fix the IP address (static addressing or via DHCP reservation) or use the hostname of the client - though ths presumes you have solid name resolution on your network for clients with dynamic ip addresses
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
