5_2_0 Privilege_Escalation

The following pages will describe various privilege escalation attacks, so here we condensed relevant information to protect your systems against these attacks.

When mounting an NFS export on a Linux client, the nosuid, noexec, and nodev parameters described here should be passed to the mount command or configured in /etc/fstab in order to prevent the privilege escalation attacks mentioned in this section.

• Set the nosuid option when mounting an NFS export if the client does not need to run setuid binaries from the export. Even if the no_root_squash option is not set on the export, it is still possible to upload setuid and setgid binaries for any other user or group which can be used to directly access the disk on the client.
• If it is not necessary to execute files at all, it is possible to set the noexec option to prevent the execution of any program from the NFS server.
• Also set the nodev option if you do not need to access device files in the NFS export. Otherwise an attacker could upload block device files to the NFS export, make them accessible to everyone and use them to directly access disks on the client bypassing the security checks of the operating system.

In order to prevent privilege escalation, both nosuid and nodev have to be enabled. If one of the options is missing, attacks are possible.