[OpenAFS] bos getlog
Charles Clancy
mgrtcc@cs.rose-hulman.edu
Sat, 21 Jul 2001 10:51:27 -0500
Why aren't there more restrictions on what "bos getlog" can obtain?
[voodoo]/Users/managers/mgrtcc> klog admin
Password:
[voodoo]/Users/managers/mgrtcc> bos getlog galaxy /etc/shadow
Fetching log file '/etc/shadow'...
root:(santized):11242::::::
daemon:NP:6445::::::
bin:NP:6445::::::
sys:NP:6445::::::
adm:NP:6445::::::
lp:NP:6445::::::
uucp:NP:6445::::::
nuucp:NP:6445::::::
listen:NP:::::::
www:x:11512::::::
nobody:NP:6445::::::
nobody4:NP:6445::::::
ftp:x:11512::::::
oracle:x:11512::::::
+@managers:x:11297::::::
+:x:11297::::::
Couldn't we limit the files it grabs to those in /usr/afs/logs?
I'm just thinking of possible attack scenarios:
1. exploit local exploit on AFS client machine to get root
2. make a /usr/bin/klog that shows up first in the path and records
passwords before running the real klog
3. grab admin password
4. grab and decrypt /etc/shadow on the AFS server
5. run amuck
_________________________________________
Charles Clancy, mgrtcc@cs.rose-hulman.edu
sysadmin emeritus - RHIT Computer Science