On Tue, 7 Dec 1993, Axel Clauberg wrote:
> On Dec 6, 18:10, [EMAIL PROTECTED] wrote:
> > Subject: Files with Wrong Group
> >
> > New files created in our xdm login windows are getting group ownership set
> > to the first pagsh number as listed by 'groups'. The problem occurs in any
> > local window or new pagsh invoked from the original login shell.
> >
> > > ll x
> > -rw-r--r-- 1 savage 33536 0 Dec 06 18:04 x
> > > groups
> > 33536 33930 mscadm
> >
> > Has anyone else seen this behavior?
> Yes, seen and fixed (just yesterday... ;-)).
> The AFS authenticating xdm inserts the pag data into the first two
> slots [0,1] of the group array. Later on (in session.c), a setgid
> is done with argument groups[0]. This will always set your primary group to
> the first part of the pag data.
There is a much more fundamental problem: up to AFS 3.2 at least it is the
AFS client who decides on the gid of a file, not the server. With an older
HP-UX 8.07 AFS client ALL files were set up to be owned by group 'root'
(gid=0), regardless of who created them. This has been fixed for HP-UX
9.0, but obviously on the CLIENT side.
This means that just anybody can copy a shell into AFS, 'chmod g+s' and
become a member of group 'root'. I just checked again: still works
perfectly well.
And I guess that with a bit of imagination and perhaps just the root
password on an AFS client of your choice you can set yourself up to be a
member of groups 'daemon', 'mail' or whatever groups are somewhat
sensitive on OTHER systems.
I'm actually waiting to test this with AFS 3.3 before starting to moan.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rainer Toebbicke - [EMAIL PROTECTED] -or- [EMAIL PROTECTED] O__
European Laboratory for Particle Physics(CERN) - Geneva, Switzerland > |
Phone: +41 22 767 4911 Fax: +41 22 767 7155 ( )\( )
