[OpenAFS] Re: [OpenAFS-announce] OpenAFS Security Advisory 2007-001: privilege escalation in Unix-based clients

Derrick J Brashear shadow@dementia.org
Wed, 21 Mar 2007 13:42:04 -0400 (EDT)

On Wed, 21 Mar 2007, Derek Atkins wrote:

> Quoting Derrick J Brashear <shadow@dementia.org>:
>> On Wed, 21 Mar 2007, ted creedon wrote:
>>> Therefore, two cells could be used, one suid and the other for everything
>>> else?
>> You could, but that's not going to prevent the attack unless you ensure all 
>> access to the setuid cell is authenticated and enforce that at the client 
>> end
> Well, if everything in the suidcell is system:authuser...  That would
> enforce that, right?

Not at the client end... Well, you can probably make it work but the 
server's idea of ACL and what it means enforces nothing at the client.