[OpenAFS-devel] kuserok() checking UID ownership on afs
Russ Allbery
rra@stanford.edu
Tue, 01 Feb 2005 17:12:19 -0800
Troy Benjegerdes <hozer@hozed.org> writes:
> kuserok() does not work when .k5login is on an afs volume where the
> local unix UID does not match the AFS ID.
> I've also gotten burned by the same type of paranoid UID and permissions
> checks in the courier mail server.
> This breaks cross-realm situations where you might want to allow people
> from multiple realms onto a system, and have local unix UID's not equal
> to the AFS ID.
> Is there a good solution to this? UID mapping seems a possible solution,
> and has apparently been used for GPFS.
> http://www-1.ibm.com/servers/eserver/clusters/whitepapers/uid_gpfs.html
I've never really understood the purpose served by this sort of ownership
check on security-related dotfiles. It seems to me that if an attacker
can write to the user's home directory, you've already lost, since they
have control of the user's login files such as .cshrc and can easily
escalate that to control of the account in a wide variety of different
ways.
Is there any feasible and likely attack that this particular check is
defending against?
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>