# NFS4 Client- /var/lib/nfs owned by root causes exploitation?

## dman777

Something was pegging my HD(from the HD light). I have a KVM Gentoo Guest that uses Subsonic streaming software to stream music to my phone. I use a NFS v4 mount to use my music collection on my Gentoo host. When I cut the nfs daemon on the host, the pegging on the HD light stopped. 

I noticed in the logs on the KVM guest there was a message from subsonic stated that NFS rpstat.d is running as root and chown /var/lib/nfs to change this. So I did a chwon subsonic_user.subsonic_user to /var/lib/nfs and the HD pegging(the light) seem to stop once I rebooted. 

What kind of venerability is there when the rpstat.d shows that it is running as root and to chown /var/lib/nfs to change this? 

And is there anything that I can check from when /var/lib/nfs was owned by root to make sure my host and my guest wasn't exploited?

----------

## TomWij

 *dman777 wrote:*   

> Something was pegging my HD(from the HD light).

 

In general, you can inspect that with iotop as root from the package sys-process/iotop.

 *dman777 wrote:*   

> When I cut the nfs daemon on the host, the pegging on the HD light stopped.

 

Though this should make it clear it is the NFS daemon. However, one wonders if it happens locally or is a result of the network; what happens if you disconnect the computer from the network?

 *dman777 wrote:*   

> I noticed in the logs on the KVM guest there was a message from subsonic stated that NFS rpstat.d is running as root and chown /var/lib/nfs to change this. So I did a chwon subsonic_user.subsonic_user to /var/lib/nfs and the HD pegging(the light) seem to stop once I rebooted. What kind of venerability is there when the rpstat.d shows that it is running as root and to chown /var/lib/nfs to change this?

 

Services are usually not run on root to prevent any vulnerability in the software from being exploited; not all vulnerabilities are known, and those that are known may be exploited if you don't update NFS in time. Software isn't perfect...

 *dman777 wrote:*   

> And is there anything that I can check from when /var/lib/nfs was owned by root to make sure my host and my guest wasn't exploited?

 

Only if you have some means to track it in terms in metadata of the changes; the easiest ways would be logs, but assuming those are likely disabled by default you could look at modification times with `find -mtime ...` (see its man page on which number to specify in place of ...) and if you have enabled access times you could try `find -atime ...` as well.

----------

## dman777

 *dman777 wrote:*   

> I noticed in the logs on the KVM guest there was a message from subsonic stated that NFS rpstat.d is running as root and chown /var/lib/nfs to change this. So I did a chwon subsonic_user.subsonic_user to /var/lib/nfs and the HD pegging(the light) seem to stop once I rebooted. What kind of venerability is there when the rpstat.d shows that it is running as root and to chown /var/lib/nfs to change this?

 

 *Quote:*   

> 
> 
> Services are usually not run on root to prevent any vulnerability in the software from being exploited; not all vulnerabilities are known, and those that are known may be exploited if you don't update NFS in time. Software isn't perfect...
> 
> 

 

That is the strange thing...I have subsonic running as non root(subsonic_user). It, I guess as a complementary service, it let me know in messages that rpc.statd was running as root and to chown  /var/lib/nfs to fix this. When starting rpstat.d from /etc/init.d/rpc.statd from sysVinit, shouldn't that be taken care of automatically? How come in all the docs  I read it doesn't state that /var/lib/nfs  should not be owned by root?

----------

## TomWij

I suppose because it works that way, but something working is not secure; I guess having NFS run as root makes it easier to use it, as to not have to explicitly have to set better permissions.

----------

## dman777

After changes, I caught the hard drive being pegged again:

```
 1288 be/3 root          0.00 B      0.00 B  0.00 % 58.76 % [jbd2/sda8-8]

 5895 be/4 kvmuser       0.00 B     16.00 K  0.00 % 13.04 % qemu-kvm ~=no -m 512"

```

```
localhost four # df /dev/sda8

Filesystem      Size  Used Avail Use% Mounted on

/dev/sda8        51G   46G  1.7G  97% /kvm_guests

localhost four # 

```

That kvmuser owned process is my subsonic guest. This iotop is from the KVM host. This is freaking me out. What could be causing this? I changed all the passwords to the Subsonic Gentoo KVM guest.

----------

## Ant P.

Maybe it's trying to do something harmless but dumb like index all your media files?

----------

