Once more the time has come when I make one of my pleas to
Transarc to restrict some of what can be done if you have
root access on a machine in AFS. Let me remind any other timid
cell administrators of some of the things you can do.
Today I'll look at the bos command. These things all seem to work
even on AFS client machines with no authentication required, just
root access.
bos exec -- If you have root access to any machine in a cell,
then you can run commands as root on any other machine in the cell
which has a bosserver process.
bos addkey/listkeys/removekey -- By adding a new key and deleting
all old ones, you can invalidate all current tokens on all machines in
the cell.
bos adduser -- You can add any user to a superuser list on another machine,
so that that user can do whatever admin can do.
bos setauth -- You can turn off the requirement for authentication on
any other machine.
bos install -- You can copy any file to any directory on any other machine.
I have successfully used this, for example, to overwrite /etc/passwd.
And, let me remind you of this one:
vos rename root.afs junk -loc -- This makes the entire AFS hierarchy
invisible.
Granted that it is dangerous for anyone to have root access, most
Unix systems are sufficiently porous that someone will someday get
unauthorised root access to one of your machines. Perhaps AFS provides
an open window for such a person into other machines in the cell.
But does it need to provide an open door and a six-lane motorway?
-- Owen
[EMAIL PROTECTED]
