At 08:17 PM 12/1/99 -0800, Kris Kennaway wrote:
>On Tue, 30 Nov 1999, David LeBlanc wrote:
>
>> >Regardless of that, how does the patch stop malicious users from
>> >producing AT jobs that have valid signatures and putting them in place?
>> The signature is based on a unique certificate that is stored in the
>> private data, and only admins can access the certificate. So your
>> requirement to use this method (post-fix) to become admin is to be admin.
>Replay attack? I read the patch description as saying that it stores a
>signature in the file containing the AT job, which is verified at
>execution time. If you can read the job file as another user, you may be
>able to resubmit the same job multiple times, if the signature doesn't
>include data which is instance-specific (e.g. the job ID).
Here's what I was told:
"The ACL on an At job file denies read access to non-admins.
This prevents non-admins from copying a signed At job into
another admin-owned file."
BTW, job ID wouldn't be sufficient - those numbers do get reused.
If anyone else sees a problem with the current way it works, send mail to
[EMAIL PROTECTED] and/or to me - I'll do my best to follow up.
Thanks for pointing this out - though it seems painfully obvious now, I
hadn't thought of it on my own.
David LeBlanc
[EMAIL PROTECTED]
