OK, I understand, thank you!
Giovanni
On 27/09/2018 15:22, Jeffrey Altman wrote:
On 9/27/2018 9:11 AM, Giovanni Bracco wrote:
I have made some tests - ok it works - but I wonder why the key
autentication method is allowed only to root user
-localauth
All butc RPCs require superuser authentication.
This option must be run as root, and server key material must be present.
Our backup scripts, which have been running on a dedicated server for
many years, run under a dedicated user with administrative powers.
Why the availability of a admin token is not sufficient to run butc in a
secure way?
Giovanni
A user token can be used to authenticate outgoing connections such as
those from butc to the buserver or the volserver. It cannot be used to
authenticate incoming connections to butc from the backup coordinator
command ("backup" or "afsbackup" depending upon the packaging.)
The privilege escalation attack is possible because of butc accepting
unauthenticated "anonymous" requests that would then result in RPCs
being issued as a privileged identity to the buserver and the volserver.
To close the security hole butc must authenticate all incoming RPCs.
To do so butc must have knowledge of the cell-wide key because without
knowledge of that key it cannot decrypt the AFS token presented by the
RPC issuer.
Jeffrey Altman
--
Giovanni Bracco
phone +39 351 8804788
E-mail [email protected]
WWW http://www.afs.enea.it/bracco
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
