Most active commenters
  • DonHopkins(3)

←back to thread

Why the Sun 2 has a message “Love your country, but never trust its government”

(nohats.ca)
266 points longwave | 13 comments | 25 Jan 16 11:21 UTC | HN request time: 1.303s | source | bottom
1. Hello71 ◴[25 Jan 16 13:38 UTC] No.10967064[source]
> NFS ran in plaintext and used the sender’s IP address for authentication

and it still does

replies(2): >>10967085 #>>10967370 #
2. markild ◴[25 Jan 16 13:43 UTC] No.10967085[source]
There are solutions though[1]

[1]: https://wiki.debian.org/NFS/Kerberos

replies(1): >>10967510 #
3. DonHopkins ◴[25 Jan 16 14:40 UTC] No.10967370[source]
It was much worse than that.

Back when I was a summer intern at Sun in 1987, it was common knowledge among the engineers at Sun that NFS stood for "No File Security", and the rpc mount protocol would trust the client to tell the server its host name, which the server would look up in /etc/exports to decide how much to trust it.

So if you know that Scott McNealy's workstation's name was "doober" (which it was), and it gave permission to a server named "mama", then on any workstation you could type:

% hostname mama; mount doober:/usr /mnt; hostname `hostname`

And you'd have Scott McNealy's /usr file system mounted.

This also worked over the internet!

replies(2): >>10968011 #>>10968015 #
4. pjc50 ◴[25 Jan 16 15:04 UTC] No.10967510[source]
Actually getting Kerberos+NFS to work is a huge pain, though. Then there's the consideration of userid mapping.
replies(1): >>10967774 #
5. toast0 ◴[25 Jan 16 15:48 UTC] No.10967774{3}[source]
Userid mapping is easy: Centrally manage the password file, so you don't need to map. Anything else is madness; hopefully you figure this out early, it is painful to fix later.
replies(1): >>10972319 #
6. smarks ◴[25 Jan 16 16:22 UTC] No.10968011[source]
I thought "doober" was Wayne Rosing's machine.

(Not that this is of any consequence....) :-)

replies(1): >>10968059 #
7. tptacek ◴[25 Jan 16 16:23 UTC] No.10968015[source]
NFS used to be one of the most popular ways to break into machines on the 1990s Internet. Leendert van Doorn wrote a CLI for NFS that was modified with a bunch of different exploits and passed around among hackers. Everyone who attacked Unix systems in (say) 1995 had a copy of NFS shell.
replies(1): >>10968212 #
8. DonHopkins ◴[25 Jan 16 16:31 UTC] No.10968059{3}[source]
I grepped some old email, and you're right! My favorite email address from that time was eat@joes.
replies(1): >>10970160 #
9. apk17 ◴[25 Jan 16 16:50 UTC] No.10968212{3}[source]
I wrote one myself. Fun things: 'int getuid() { return 0; }' in the userland code was sufficient for authentication. And the mountd returned the root handle of the file system. When you presented that handle to nfsd it would happily serve you even when you are no longer in the exports table.
replies(1): >>10968279 #
10. tptacek ◴[25 Jan 16 16:58 UTC] No.10968279{4}[source]
NFS also hosted one of the first widely-exploited integer overflows (not for code exec, but for privilege escalation).
11. smarks ◴[25 Jan 16 21:43 UTC] No.10970160{4}[source]
(WARNING: crusty Sun old-timer memories follow)

For those who aren't familiar with this, up until the mid-1990s or so, Sun let individual engineers name their own workstations. In fact many regarded this as a privilege. Each workstation ran its own copy of sendmail, so one's email address was login@hostname. People came up with all kinds of clever login/hostname combinations, such as what Don mentioned, eat@joes.

My all time favorite was Rich Burridge's, whose workstation was named "stard". Since his login was richb, his email address was...

richb@stard

replies(1): >>10970268 #
12. DonHopkins ◴[25 Jan 16 21:58 UTC] No.10970268{5}[source]
Speaking of rich bastards, who could forget Rich Morin's "Canta Forda Computer Laboratory"? http://www.cfcl.com/
13. gm3dmo ◴[26 Jan 16 07:37 UTC] No.10972319{4}[source]
Too right. The madness arrives when you have to retrofit the mapping and people have used different uid numbers for the same user and different users have the same uid across machines.