John Hascall wrote:
On Wed, 21 Mar 2007, Robert Banz wrote:
So, how was this "fixed" in 1.4.4, other than just turning setuid off by
default?
It can't be fixed without forcing authenticated connections from cache
managers, which means you key all your machines, and we modify the
fileserver to not require a pts id to exist for the keyed identity.
Possible kludg" follows. The squeamish may wish to avert eyes... :)
How about if the cache manager marked the fileStatus entry
as 'fetchedUsecurely' and dropped the suid/sgid mode bits when
storing it and then if an authed user is referencing it, flush
the entry and refetch it securely?
How miserable would this be to implement?
That brings up a similar exploit:
Authed user has the session key, from afs/<cell> ticket.
User modifies the stream being protected by his session key,
to turn on suid bit thus gaining root.
This sounds like if root on a machine needs to trust AFS with
/usr and /bin, root better have its own keyed identity.
John
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
