Bug#869662: gvfs-backends: gvfs-nfs not possible to mount nfs exports with option secure

Stefan Tatschner stefan.tatschner at gmail.com
Fri Aug 4 20:59:42 UTC 2017 

On Tue, Jul 25, 2017 at 7:33 PM, Simon McVittie <smcv at debian.org> wrote:
> On Tue, 25 Jul 2017 at 14:47:46 +0200, Stefan Tatschner wrote:
>> it is not possible to mount an nfs share using nautilus (which in turn uses
>> gvfs-nfs) that is exported with the "secure" option. The nfs secure option is
>> the default for nfs exports. It means, that the nfs server does not accept connections
>> from an unprivileged source port (portno < 1024).
>
> The "secure" option is meant to mean exactly "only root can mount this".
> gvfs isn't root. You asked for it, you got it? :-)

root, or processes with cap_net_bind_service, which is also not root.
You mentioned it, you got it? Just kidding. :)

>> - Set the cap_net_bind_service capability on the binary "/usr/lib/gvfs/gvfsd-nfs"
>
> That would mean that servers believe that gvfsd-nfs is a trusted,
> root-owned process (inasmuch as they trust other machines on the network,
> which they probably should not), even when it isn't. Misguided though the
> "secure" option is, that seems misleading at best, and in the worst case
> potentially a security vulnerability.

The "secure" option at most prevents that malicious software on the
*client* mounts the nfs share. Beyond that, the secure options does
not add further protection on the client side, e.g. since if the nfs
share *is* already mounted, then a local attacker can access the
share. Nfs exports should only be exposed in trusted networks; such
networks can be created by authenticating each node using strong
cryptographic technologies like kerberos (nfsv4) or point to point vpn
tunnels (wireguard, ipsec, ...). From a security perspective the nfs
"secure" option is very weak and I cannot recommend to rely on that
option for system/network security.

At least I can see your point and IMO it makes sense to maybe not add
"cap_net_bind_service". Instead I suggest developping a polkit rule
that a user with admin caps must confirm an nfs mount request with his
password. Without any of these the gvfs GUI capabilities for nfs are
not usable. That might be the reason why the arch folks have added
cap_net_bind_service to the binary, as recommended in the
documentation (I have posted the relevant links in the first email).

Stefan

More information about the pkg-gnome-maintainers mailing list