[OpenAFS] Security Advisory 2007-001: privilege escalation in Unix-based clients

Christopher D. Clausen cclausen@acm.org
Wed, 28 Mar 2007 16:16:38 -0500

Jeffrey Hutzelman <jhutz@cmu.edu> wrote:
> On Friday, March 23, 2007 10:04:28 AM -0400 Jeffrey Altman
> <jaltman@secure-endpoints.com> wrote:
>> Kim Kimball wrote:
>>> I'm still wondering if
>>> a.  Removing system:anyuser from ACLs will prevent this privilege
>>> escalation
>>> b.  Removing system:anyuser from ACLs except "system:anyuser l" will
>>> prevent the privilege escalation (i.e. the only occurrence of
>>> system:anyuser is with l permission)
>>> Any definitive conclusions?
>> As has been discussed on this list over the last few days, modifying
>> the contents of unprotected data retrieved via anonymous connections
>> is just one form of attack that can be executed.
> What Jeff is trying to say is "no".
> Changing ACL's will not prevent this attack.
> Changing servers will not prevent this attack.
> Period.
> The only way to prevent this attack is for clients not to honor suid
> bits from sources not trusted _by the client_.  Since the current AFS
> client has no way to obtain a secure connection to the fileserver
> with which the user cannot tamper, all sources must be considered
> untrusted.

If there was a way to make the client only use encrypted connections 
(force fs setcrypt on and ignore unencrypted connections) would that be 
sufficient to prevent the privilege escalation?  (I am am aware there 
isn't an easy way to do this now.)  Or do encrypted connections also not 
trust the fileservers?