I'm catching up on Info-AFS messages and had a few clarifications to
make on this post.
[EMAIL PROTECTED] writes:
> What Joe's warning failed to note is that our version of xdm was
> simply the RPI version with a change so that it didn't stop creating
> PAGs after the first 16 logins. In other words, I think it would be
> wise for anyone using an AFS authenticating xdm to explicitly check
> for this problem.
This is a good point. I wasn't sure of the lineage of the various
versions of XDM, so I couldn't tell if the RPI version contained the
same defect or not. The RPI version had recently been updated, so I
suspected that this problem had been fixed in their version. Someone
more familiar with the code will have to verify this.
By the way, the RPI version no longer contains the 16-logins bug on
AIX. For more details, see the file
/afs/transarc.com/public/afs-contrib/tools/xdm/rpi-16-logins-fix
> Subsequently, Joe sent around another note asserting that another
> (unspecified) security problem had been found in our xdm, that we had
> been notified, and that our xdm had been removed from the Transarc
> archive.
>
> This disturbs me a bit because Transarc had most certainly not
> notified us of any such thing. A fellow AFS user had sent a note to
> both Transarc and myself pointing out what they considered to be a
> security problem - that our xdm does not pay attention to the AIX
> /etc/security/users file. Specifically, that with our xdm it is not
> possible to use this file to limit root logins to console devices.
My original message was probably too vague. We didn't remove your
code from the archive, of course, but just disabled access. When I
said that "the authors of the software have been contacted", I was
refering to the fellow AFS user that spoke to you. Sorry if this
wasn't clear.
> I do not consider this to be a security problem. Neither does another
> user who contacted me. At least the R5 distribution of X11 from MIT
> does not provide this functionality for AIX. I don't know about the
> R6 version, but I doubt this has changed.
I didn't know the details of the second security problem at the time I
posted my second message. I certainly understand why you don't
consider this a defect. In retrospect, removing access from the trees
was probably too severe a reaction, but I try to err on the side of
caution when security issues are involved.
I've verified that access to the
/afs/transarc.com/afs-contrib/tools/xdm/ tree has been re-enabled for
all users. Until we find out that the RPI directory doesn't contain
the major security defect, though, we'll leave that directory
protected.
> If Joe had bothered to contact me or had responded to my email or
> phone call, he might have saved himself the embarrassment of my having
> to publish this explanation.
No problem -- in fact, I'm glad you cleared this up for everyone! I
was on vacation for a week and a half, so I didn't have a chance to
get back to you sooner. (I neglected to inform the front desk, which
is why they didn't tell you I was out.)
Joe Jackson,
AFS Product Engineer,
Transarc Corp.
