I normally wouldn't have commented, except that someone said that host
authentication should still give system:authuser access.
Let's just say this is a SECURITY hole.
The fact is that we may have to use IP restrictions to suit licenses and
it qualifies as "best efforts" for protecting software from being used
elsewhere.
However, in reality, IP security is a hoax. In AFS 3.1, two security
holes were uncovered - coredumps could be retrieved remotely and
superuser commands could be issued from remote sites, without any
defense.
It is fine to assume that there may be times when this weak level of
security is appropriate, such as accessing system-level software prior
to a user logging in, or for machines to save statistics in a central
repository when no authentication is possible. However, this should be
explicit decisions and system:authuser should imply that strong
authentication has been performed. IP checks are weak authentication
(and I would argue that they are not even authentic, given the number of
times I have seen that spoofed).
Recommendation: Fix whatever bug it is that is causing explicit hosts to
be members of system:authuser@cell.
-Richard Basch
MIT IS/DCNS Development
