[OpenAFS-devel] kuserok() checking UID ownership on afs

Ken Raeburn raeburn@MIT.EDU
Tue, 1 Feb 2005 21:55:09 -0500


On Feb 1, 2005, at 20:12, Russ Allbery wrote:
> I've never really understood the purpose served by this sort of 
> ownership
> check on security-related dotfiles.  It seems to me that if an attacker
> can write to the user's home directory, you've already lost, since they
> have control of the user's login files such as .cshrc and can easily
> escalate that to control of the account in a wide variety of different
> ways.

Generally, only if the user actually logs in, turning control of any 
non-home-directory resources over to whomever has write access to the 
home directory or dotfiles.  If I never log in to a system using my AFS 
homedir, and never use my .cshrc file, it doesn't matter if I 
accidentally give you write access to it.  You don't get access to my 
email, and you don't get to use my Kerberos credentials or AFS tokens 
(which I may happily be using from a laptop).

> Is there any feasible and likely attack that this particular check is
> defending against?

Accidental world-write access to certain dotfiles while not the 
directory itself (granted, generally not an issue for AFS, with the 
lack of such fine-grained control, unless the dotfiles are symlinks to 
elsewhere).

Ken