Carson Gaspar wrote: > Jeffrey Altman wrote: >> Jason Edgecombe wrote: >> >>> Ok, so the summary is that any file copied out of /afs while not >>> authenticated (system:anyuser) can be spoofed. If this correct? >> >> The issue is subtly different. It is not which credentials you have >> when copying the data out of the cache, the issue is which credentials >> were used when the data was copied into the cache. That is why >> performing the "fs flush" before reading data as an authenticated user >> ensures that you will get the correct information when fs crypt is on. > > If I'm understanding this correctly, a "fs flush" is still no guarantee, > as there's a race condition against an unauth'd user accessing the file > before you do.
It depends upon your context. For the case in question the machine is booting out of AFS and needs to copy setuid files to the local disk for later local execution. What I described is sufficient in that case. Jeffrey Altman Secure Endpoints Inc.
smime.p7s
Description: S/MIME Cryptographic Signature
