[OpenAFS] Re: [OpenAFS-announce] OpenAFS Security Advisory 2007-001: privilege escalation in Unix-based clients

Douglas E. Engert deengert@anl.gov
Wed, 21 Mar 2007 16:19:09 -0500

John Hascall wrote:
>> On Wed, 21 Mar 2007, Robert Banz wrote:
>>> So, how was this "fixed" in 1.4.4, other than just turning setuid off by 
>>> default?
>> It can't be fixed without forcing authenticated connections from cache 
>> managers, which means you key all your machines, and we modify the 
>> fileserver to not require a pts id to exist for the keyed identity.
> Possible kludg" follows.  The squeamish may wish to avert eyes... :)
> How about if the cache manager marked the fileStatus entry
> as 'fetchedUsecurely' and dropped the suid/sgid mode bits when
> storing it and then if an authed user is referencing it, flush
> the entry and refetch it securely?
> How miserable would this be to implement?

That brings up a similar exploit:

Authed user has the session key, from afs/<cell> ticket.
User modifies the stream being protected by his session key,
to turn on suid bit thus gaining root.

This sounds like if root on a machine needs to trust AFS with
/usr and /bin, root better have its own keyed identity.

> John
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444