Or alternatively, you can get Transarc's "authoritative" CellServDB from:
% ls -l /afs/transarc.com/service/CellServDB
lrwxr-xr-x 1 5883 root 21 May 18 18:45
/afs/transarc.com/service/CellServDB -> etc/CellServDB.export
Of course, I *strongly* hope that Transarc doesn't have "private" cells
listed in their CellServDB for their web-server, but in all likelihood, if
you really want your cell to be private, you would protect your AFS ports
with router filters.
This isn't a "new" exposure in any way. You have to be exceedingly careful
about your ACLs, and probably an occaisonal scan of all of the ACLs for
the root of each volume in your cell isn't a bad plan. Perhaps someone has
already written a tool to check the ACLs in this manner, or at the very
least, such a tool could very easily be written.
I won't say that I've developed a policy of doing so with some frequency,
but I have long believed that I should.
We have been lucky that the "cracker" population has not been AFS-aware
(or not largely so) in the past, but the risk of poor ACLs has always been
there. I believe it's just time for everyone to audit their practices for
setting and monitoring ACLs, and keep an eye out for suspicious activity,
as we always should have.
Nathan
On Mon, 13 Sep 1999 [EMAIL PROTECTED] wrote:
>
> > And, if you protect the toplevel, you're safe from the
> > drill-down problem.
>
> Well, true, and not true. Actually every volumes top level directory
> ACL has to be protected. For instance I can get a list of all volumes
> in the transarc.com cell (or northstar.dartmouth.edu, etc.), mount each volume,
> then see if I can access that mount point and see how far I can go. So the
> drill-down problem is true for users who are traversing down web directories
> or ftp sites. But users with access to AFS client machines can mount any
> volume from virtually any cell.
>
> How interesting; I hadn't thought of that. OTOH, we've always had _that_
> problem - what's different now? The web doesn't really give you anything
> other than cell names, which you can presumably find from any AFS client
> machine you can mount volumes from...
>
> --paw
>
Nathan Rawling [EMAIL PROTECTED] KC8BOA
Server Operations - Ann Arbor UUnet Technologies
"I am Cat of Borg. We will assimilate your shiny things."
