[OpenAFS-devel] kuserok() checking UID ownership on afs
Douglas E. Engert
deengert@anl.gov
Wed, 02 Feb 2005 08:14:05 -0600
Troy,
The kuserok will also accept root ownership, so your AFS admin could
do a "chown root .k5login" for the user to get this set. The user can
then update the file in AFS, and the owner does not change.
Ken
Would you accept any changes in this area to check if the file
is in AFS, and not check the ownership?
like if (strncmp(path,"/afs",4) ...
Ken Raeburn wrote:
> On Feb 1, 2005, at 20:12, Russ Allbery wrote:
>
>> I've never really understood the purpose served by this sort of ownership
>> check on security-related dotfiles. It seems to me that if an attacker
>> can write to the user's home directory, you've already lost, since they
>> have control of the user's login files such as .cshrc and can easily
>> escalate that to control of the account in a wide variety of different
>> ways.
>
>
> Generally, only if the user actually logs in, turning control of any
> non-home-directory resources over to whomever has write access to the
> home directory or dotfiles. If I never log in to a system using my AFS
> homedir, and never use my .cshrc file, it doesn't matter if I
> accidentally give you write access to it. You don't get access to my
> email, and you don't get to use my Kerberos credentials or AFS tokens
> (which I may happily be using from a laptop).
>
>> Is there any feasible and likely attack that this particular check is
>> defending against?
>
>
> Accidental world-write access to certain dotfiles while not the
> directory itself (granted, generally not an issue for AFS, with the lack
> of such fine-grained control, unless the dotfiles are symlinks to
> elsewhere).
>
> Ken
>
> _______________________________________________
> krbdev mailing list krbdev@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444