[OpenAFS-devel] kuserok() checking UID ownership on afs
Ken Raeburn
raeburn@MIT.EDU
Tue, 1 Feb 2005 21:55:09 -0500
On Feb 1, 2005, at 20:12, Russ Allbery wrote:
> I've never really understood the purpose served by this sort of
> ownership
> check on security-related dotfiles. It seems to me that if an attacker
> can write to the user's home directory, you've already lost, since they
> have control of the user's login files such as .cshrc and can easily
> escalate that to control of the account in a wide variety of different
> ways.
Generally, only if the user actually logs in, turning control of any
non-home-directory resources over to whomever has write access to the
home directory or dotfiles. If I never log in to a system using my AFS
homedir, and never use my .cshrc file, it doesn't matter if I
accidentally give you write access to it. You don't get access to my
email, and you don't get to use my Kerberos credentials or AFS tokens
(which I may happily be using from a laptop).
> Is there any feasible and likely attack that this particular check is
> defending against?
Accidental world-write access to certain dotfiles while not the
directory itself (granted, generally not an issue for AFS, with the
lack of such fine-grained control, unless the dotfiles are symlinks to
elsewhere).
Ken