On Mon, May 3, 2010 at 10:19 PM, Jeffrey Altman <[email protected]> wrote: > On 5/1/2010 6:40 PM, Adam Megacz wrote: >> >> Is there any reason why pts won't let system:administrator create groups >> whose prefix does not match any user? >> >> $pts ex blah >> pts: User or group doesn't exist so couldn't look up id for blah >> $pts creategroup blah:booh >> pts: Badly formed name (group prefix doesn't match owner?) ; unable to >> create group blah:booh >> >> Clearly this can be circumvented by system:administrator: >> >> $pts cu blah >> User blah has id 100015 >> $pts creategroup blah:booh -owner blah >> group blah:booh has id -1012 >> $pts delete blah >> $pts ex blah:booh >> Name: blah:booh, id: -1012, owner: 0, creator: megacz, >> membership: 0, flags: S-M--, group quota: 0. >> >> is there a danger in doing this, other than perhaps confusion? > > I suspect that the above is a security issue. It means that user 1 can > be assigned pts id "foo" and if "foo" is deleted (but not foo's groups) > when user 1 leaves the company, then when user 2 comes along and is > assigned the unused "foo", s/he will inherit all of the groups that > belonged to user 1. > > I suspect the proper behavior should at some point become that deletion > of pts id "foo" should remove all of the groups as well.
Shouldn't be true. the ptserver tracks by id, not text name. and I disagree that the change is needed. > By intentionally creating groups that are owned by no valid pts id, > you increase the chance that such an id would be used for another purpose. If it tracked by name. A similar "attack" has been discussed before. pts cg shadow:something pts chown shadow:something jaltman jaltman now owns jaltman:something. Derrick _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
