Re: [OpenAFS] OpenAFS Security Releases 1.8.2, 1.6.23 available --> butc & backup security update question --> why only root?
OK, I understand, thank you! Giovanni On 27/09/2018 15:22, Jeffrey Altman wrote: On 9/27/2018 9:11 AM, Giovanni Bracco wrote: I have made some tests - ok it works - but I wonder why the key autentication method is allowed only to root user -localauth All butc RPCs require superuser authentication. This option must be run as root, and server key material must be present. Our backup scripts, which have been running on a dedicated server for many years, run under a dedicated user with administrative powers. Why the availability of a admin token is not sufficient to run butc in a secure way? Giovanni A user token can be used to authenticate outgoing connections such as those from butc to the buserver or the volserver. It cannot be used to authenticate incoming connections to butc from the backup coordinator command ("backup" or "afsbackup" depending upon the packaging.) The privilege escalation attack is possible because of butc accepting unauthenticated "anonymous" requests that would then result in RPCs being issued as a privileged identity to the buserver and the volserver. To close the security hole butc must authenticate all incoming RPCs. To do so butc must have knowledge of the cell-wide key because without knowledge of that key it cannot decrypt the AFS token presented by the RPC issuer. Jeffrey Altman -- Giovanni Bracco phone +39 351 8804788 E-mail giovanni.bra...@enea.it WWW http://www.afs.enea.it/bracco ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS Security Releases 1.8.2, 1.6.23 available --> butc & backup security update question --> why only root?
On 9/27/2018 9:11 AM, Giovanni Bracco wrote: > I have made some tests - ok it works - but I wonder why the key > autentication method is allowed only to root user > >> -localauth >> All butc RPCs require superuser authentication. >> This option must be run as root, and server key material must be present. > > Our backup scripts, which have been running on a dedicated server for > many years, run under a dedicated user with administrative powers. > > Why the availability of a admin token is not sufficient to run butc in a > secure way? > > Giovanni A user token can be used to authenticate outgoing connections such as those from butc to the buserver or the volserver. It cannot be used to authenticate incoming connections to butc from the backup coordinator command ("backup" or "afsbackup" depending upon the packaging.) The privilege escalation attack is possible because of butc accepting unauthenticated "anonymous" requests that would then result in RPCs being issued as a privileged identity to the buserver and the volserver. To close the security hole butc must authenticate all incoming RPCs. To do so butc must have knowledge of the cell-wide key because without knowledge of that key it cannot decrypt the AFS token presented by the RPC issuer. Jeffrey Altman <> smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] OpenAFS Security Releases 1.8.2, 1.6.23 available --> butc & backup security update question --> why only root?
I have made some tests - ok it works - but I wonder why the key autentication method is allowed only to root user > -localauth > All butc RPCs require superuser authentication. > This option must be run as root, and server key material must be present. Our backup scripts, which have been running on a dedicated server for many years, run under a dedicated user with administrative powers. Why the availability of a admin token is not sufficient to run butc in a secure way? Giovanni On 13/09/2018 22:51, Mark Vitale wrote: On Sep 13, 2018, at 2:37 PM, Jeffrey Altman wrote: In the case of OPENAFS-SA-2018-001.txt, both 'butc' and 'backup' (or 'afsbackup' as it is installed on some systems) must be at least: * AuriStorFS v0.175 * OpenAFS 1.8.2 * OpenAFS 1.6.23 As of the releases above, the 'butc' service (by default) will not only accept authenticated connections but will require that the authenticated identity be a super-user as reported by the butc host's "bos listusers" command. A small correction: the OpenAFS 'butc' does not do this by default. Instead, it forces the operator to specify one of the following options: -localauth All butc RPCs require superuser authentication. This option must be run as root, and server key material must be present. -allow_unauthenticated All butc RPCs remain unauthenticated. Regards, -- Mark Vitale mvit...@sinenomine.net -- Giovanni Bracco phone +39 351 8804788 E-mail giovanni.bra...@enea.it WWW http://www.afs.enea.it/bracco ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info