I'm still wondering if
a. Removing system:anyuser from ACLs will prevent this privilege escalation
b. Removing system:anyuser from ACLs except "system:anyuser l" will
prevent the privilege escalation (i.e. the only occurrence of
system:anyuser is with l permission)
Any definitive conclusions?
Thanks!
Kim
Kim Kimball wrote:
Yes, but I thought this depended on a file in the cache that had been
retrieved over an unauthenticated connection.
Lookup won't put a file in the cache.
Jeffrey Altman wrote:
Kim Kimball wrote:
If I abandon use of system:anyuser, except for lookup, does that get
the
job done?
It seems to me that this forces all connections capable of fetching
data
to be authenticated. If I'm reading the alert correctly, this would
prevent FetchStatus exploit?
Kim
Lookup is performed via FetchStatus
Jeffrey Altman
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
