[OpenAFS] Re: [OpenAFS-announce] OpenAFS Security Advisory 2007-001: privilege escalation in Unix-based clients

John Hascall john@iastate.edu
Wed, 21 Mar 2007 16:54:28 CDT

> That brings up a similar exploit:
> Authed user has the session key, from afs/<cell> ticket.
> User modifies the stream being protected by his session key,
> to turn on suid bit thus gaining root.
> This sounds like if root on a machine needs to trust AFS with
> /usr and /bin, root better have its own keyed identity.

It also seems to me that you could do a pretty effective D.O.S.
by sending fileStatus for various files (say starting with /bin/sh)
with zero'd mode bits.