Jeffrey Altman wrote:
Jason Edgecombe wrote:
Ok, so the summary is that any file copied out of /afs while not
authenticated (system:anyuser) can be spoofed. If this correct?
The issue is subtly different. It is not which credentials you have
when copying the data out of the cache, the issue is which credentials
were used when the data was copied into the cache. That is why
performing the "fs flush" before reading data as an authenticated user
ensures that you will get the correct information when fs crypt is on.
If I'm understanding this correctly, a "fs flush" is still no guarantee,
as there's a race condition against an unauth'd user accessing the file
before you do.
--
Carson
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
