Tomas Olsson wrote:
Alexander Bostr�m <[EMAIL PROTECTED]> writes:
If default PAGs are by uid, it might be possible to use root's PAG after
saying "default, please" and calling smth setuid.
Our users don't get a PAG when they telnet to one of our hosts, so we've never had any real PAG "jail" to begin with. I doubt we really need one.
Good point. Of course, any app accessing the wrong files in root's name is seriously broken regardless of PAG behaviour.
Thanks.
/Tomas _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
besides, in the case of processes running as root, you don't really have a jai with the current implementation, since you can peek through /proc till you see a process with the gredentials you want, look at his group membershps, and set yours to match. If you're expecting the current implementation to protect you from stealing someone's tokens, you've already lost. I suppose that because of the trapped setgroups syscall, you can't actually directly join the default pag, but you can almost certainly convince nother currently pagless process to spawn a child for you. think attaching to another root process with a debugger, and inserting code to fork, and then exec whatever you want.
Hmm, now that I think of it, what prevents someone from using this trick as a normal user. IE if you have 2 processes that run as the same user, but with different pags, couldn't one of them use the debugging faculty to write code to fork and exec an arbitrary program into a chunk of memory, and then jump there?
-Matt Andrews
_______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
