The root uid on an AFS client has access to the AFS cache (naturally), and
if you're using an implementation of Kerberos which keeps its tickets
around in an accessible place (as in MIT Kerberos), it is possible for
anyone with root access on that client to steal an unexpired TGT from
another authenticated user on that same client, and use that to authenticate
to an AFS file server, impersonating that person. This really wasn't
a problem in the MIT Athena environment (even with the root pw freely known),
because the AFS client workstations only allowed a single user to log
in at a time, so you wouldn't expect to have a siutation where anyone
else's TGTs were sitting around and accessible to root. Logging out flushed
the Kerberos ticket cache. Of course, you still have the problem
someone browsing the AFS cache. I think there was some thought at MIT
about hacking AFS to allow the cache to be flushed on a per-volume
basis at logout time, but between technical complexity and people's
time, it wasn't deemed a priority (of course, I haven't followed what's
been going on at MIT for a while, so I could be misrepresenting things
as far as the AFS cache is concerned.)
