"Root" exposure?
Hm. It depends a bit what the network between the client
& the servers looks like, what the machine is used for,
and how secure the network in between is.
Being "root" does not necessarily mean one has "root"'s
credentials. Nobody at umich.edu knows what the "root"
kerberos password is at umich.edu (which means, you guessed it,
we could delete the kerberos entity "[EMAIL PROTECTED]" without harm)
nor would it help particularly if anyone did since "root" doesn't
have a pt entry. So far as AFS @umich.edu is concerned, root is just
another yahoo from nowhere, he only gets system:anyuser rights.
Even if root did have a "pt" entity, that would only mean
files could be permitted to him "just like" any other user.
If the user is on the same subnet as any of the DB servers,
he can probably spy on traffic between the DB servers. That
might allow him, for instance, to spy on ubik xfer's of
ka. That probably won't allow him to steal the data
(they should be encrypted). There might be other traffic
that would allow him to compromise the DB server however.
If the routers aren't well protected, they might believe
a RIP (or other sort of router control) packet and that
might allow the user to compromise the network to such
an extent they might as well be on the same subnet as the
DB server.
If the client is used by others, then "root" obviously
has the ability, not just to rumage through the cache,
but to rumage through the token stash and "steal" user
AFS tickets. So root could compromise files permitted
to anyone foolish enough to use that worktstation.
Of course, root could also just modify "klog", or the
kernel tty driver, to steal passwords more directly.
Root could also probably spy on all packet traffic on
the local subnet, so root could likely snarf passwords from
unprotected telnet sessions from or to nearby machines & similar
mischief.
If root is able to compromise DNS service to machines
used by users in the local cell, he might also be able to
steal passwords. He need only point those machines DNS
records to a machine he controls and start fake telnet
sessions.
If root can compromise the DNS service used by the DB servers,
he may be able to do worse; ubik uses DNS to locate the
other servers; so if he can break DNS, he can certainly
at least confuse ubik.
-Marcus Watts
UM ITD RS Umich Systems Group
