This is a post based on personal experience that led to a fairly major outage for me recently, I won’t share any specific details therefore, but I will explain the issue so others can be warned. The automountd in question was running on an older version of hpux so I suppose it’s possible that newer Linux systems have some kind of protection in it, but sine the flaw is fundamentally part of how automount works – I doubt it.
Imagine you have an nfs share, that contains a lot of directories, various clients will only access some of them, now one popular setup here is to set the master share as an automount – hooked into the subdirectories. Lets say you set this up on /shared_files
Now when a user tries to enter /shared_files/documents for example – the automounter will send a mount request to the NFS server, mount the documents directory directly, and the user transparently gains access… sounds perfect right.
Here’s the flaw… what happens if the user tries to access a directory which doesn’t exist in the share ? Say /shared_files/garbage … well a mount request gets sent, the server rejects it – and the user gets a file-not-found.
That’s all well and good right?
But now… what if I do this:
while /bin/true ; do
ls /shared_docs/$RANDOM
done
See what happens now: instant denial of service attack on the NFS server. Normally, NFS is fairly safe from DoS’s as it’s usually not used online and generally one inside the company would need root access to issue a mount request- but this can be done by any user, and worse on any server he has access to (so it could be distributed) and just to add the cherry on top, similiar scenarios could just as easily spring from stupidity or a buggy program/script – there isn’t even any need for malice…
This problem isn’t limited to NFS, you’d have the exact same issue if you were using CODA or practically any other network file system. Essentially automount, when used on a “in the directory” level – is a disaster waiting to happen, it’s a daemon that executes a root privileged command when triggered by actions a non-privileged user can perform… inherently this is very dangerous.
It is for this reason that I am piece-by-piece ridding my network of automount based setups, and switching to rather just mounting the /shared_docs equivalents using fstab directly (besides which, one on-boot mount request is so much less overhead than hundreds of on-access requests)