[OpenAFS] Re: [OpenAFS-announce] OpenAFS Security Advisory 2007-001: privilege escalation in Unix-based clients

Derrick J Brashear shadow@dementia.org
Wed, 21 Mar 2007 15:18:17 -0400 (EDT)

On Wed, 21 Mar 2007, John Hascall wrote:

>> On Wed, 21 Mar 2007, Robert Banz wrote:
>>> So, how was this "fixed" in 1.4.4, other than just turning setuid off by
>>> default?
>> It can't be fixed without forcing authenticated connections from cache
>> managers, which means you key all your machines, and we modify the
>> fileserver to not require a pts id to exist for the keyed identity.
> Possible kludg" follows.  The squeamish may wish to avert eyes... :)
> How about if the cache manager marked the fileStatus entry
> as 'fetchedUsecurely' and dropped the suid/sgid mode bits when
> storing it and then if an authed user is referencing it, flush
> the entry and refetch it securely?
> How miserable would this be to implement?

not overly, actually, but it wasn't something we could get done by 1.4.3 
time. it also only helps if it's an auth'd user but that's better than 
nothing, at least if it's something you allow people to opt into (i could 
see cases where losing suid but being able to run it anyway in some cases 
but keeping suid in others would be a usability nightmare)