Information
Disable suid/sgid program execution and/or access to system devices via permissions set on any mounted NFS filesystem.
Rationale:
Setting the nosuid and nodev options means that files on the NFS server cannot be used to gain privileged access on the client.
This hampers a malicious user from creating an attack vector on the server and then log onto an NFS client as a standard user and use the suid/sgid program to effectively become another user (especially root) on that client.
The nodev options blocks malicious/accidental (raw) access to system devices (e.g., /dev/kmem, /dev/rhdisk0). Access to devices is not exclusive to the /dev directory. Device access is so-called special-files that are defined as a Major, Minor device id's.
Solution
For each NFS mount, disable suid programs and device access. List the current NFS mounts:
lsnfsmnt -l | /usr/bin/egrep -v '^Name' | /usr/bin/grep -v 'nosuid' | while read remote local host rest; do
chnfsmnt -d ${remote} -f ${local} -h ${host} -y -z
done
lsnfsmnt -l | /usr/bin/egrep -v '^Name' | /usr/bin/grep -v 'nodev' | while read remote local host rest; do
chnfsmnt -d ${remote} -f ${local} -h ${host} -y -z
done
NOTE: The NFS mount needs is re-mounted automatically by chnfsmnt.
NOTE: The second loop might not do anything as both loops set both nosuid (-y) and nodev (-z)
Default Value:
N/A