I've never really understood the purpose served by this sort of ownership
check on security-related dotfiles. It seems to me that if an attacker
can write to the user's home directory, you've already lost, since they
have control of the user's login files such as .cshrc and can easily
escalate that to control of the account in a wide variety of different
ways.
Generally, only if the user actually logs in, turning control of any non-home-directory resources over to whomever has write access to the home directory or dotfiles. If I never log in to a system using my AFS homedir, and never use my .cshrc file, it doesn't matter if I accidentally give you write access to it. You don't get access to my email, and you don't get to use my Kerberos credentials or AFS tokens (which I may happily be using from a laptop).
Is there any feasible and likely attack that this particular check is defending against?
Accidental world-write access to certain dotfiles while not the directory itself (granted, generally not an issue for AFS, with the lack of such fine-grained control, unless the dotfiles are symlinks to elsewhere).
Ken
_______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
