[OpenAFS] keeping openafs from breaking group security

Derek Atkins warlord@MIT.EDU
Sun, 6 Feb 2005 12:46:23 -0500 

"Doctor, doctor, it hurts when I do this...."

-derek

Quoting Matthew Miller <mattdm@mattdm.org>:

> I know I've said this before, but it was broken for a while, and now that
> it's back, I wanted to aggitate about it a bit, because it's a real problem.
> 
> 
> 1. Look in password file to find the group id of a professor or
>    administrator or smart kid with papers you want to steal. Say,
>    44490. Username of "victim".
> 
> 2. Run 'pagsh', and get something like this:
> 
>   $ id
>   uid=18281(mattdm) gid=18281(mattdm)
>   groups=33550,44480,10(wheel),501(bulinux),502(aptgen),18281(mattdm)
> 
> 3. Hmmm. Not good enough. Let's try exiting pagsh and running it again.
>    Now we get:
> 
>   $ id
>   uid=18281(mattdm) gid=18281(mattdm)
>   groups=33550,44481,10(wheel),501(bulinux),502(aptgen),18281(mattdm)
> 
> 
> 4. Cool -- getting closer. Run it, oh, say, 9 more times, and:
> 
>   $ id
>   uid=18281(mattdm) gid=18281(mattdm)
>  
> groups=33550,44490(victim),10(wheel),501(bulinux),502(aptgen),18281(mattdm)
> 
> 5. Tada! I'm a member of someone else's group.
> 
> 
> OpenAFS has no business breaking normal Unix security -- even if it has done
> this since time immemorial. It has got to be done a different way.
> 
> If I remember right, there *was* talk of doing it some different way. Has
> there been any progress on that?
> 
> In the meantime, is there a simple way to disable this completely?
> 
> 
> 
> -- 
> Matthew Miller            mattdm@mattdm.org        <http://www.mattdm.org/>
> -->  Fedora Users & Developers Conference, hosted by Boston University  <--
> February 18th, 2005                 <http://fedoraproject.org/wiki/FUDCon1> 
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
> 


-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available