OpenAFS Master Repository branch, openafs-stable-1_6_x, updated. openafs-stable-1_6_16-16-g5ce1027

Gerrit Code Review gerrit@openafs.org
Wed, 16 Mar 2016 11:05:57 -0400


The following commit has been merged in the openafs-stable-1_6_x branch:
commit 396240cf070a806b91fea81131d034e1399af1e0
Author: Benjamin Kaduk <kaduk@mit.edu>
Date:   Wed Mar 9 19:30:20 2016 -0600

    OPENAFS-SA-2016-001 group creation by foreign users
    
    CVE-2016-2860:
    
    The ptserver permits foreign-cell users to create groups as if they were
    system:administrators.  In particular, groups in the user namespace
    (with no colon) and the system: namespace can be created.  No group
    quota is enforced for the creation of these groups, but they will be
    owned by system:administrators and cannot be changed by the user that
    created them.  When processing requests from foreign users, the
    creator ID is overwritten with the ID of system:administrators, and
    that field is later used for access control checks in
    CorrectGroupName(), called from CreateEntry().
    
    The access-control bypass is not possible for creating user entries,
    since there is an early check in CreateOK() that only permits
    administrators to create users, using a correct test for whether
    the call is being made by an administrator.
    
    FIXES 132822
    
    [Based on a patch by Jeffrey Altman.]
    
    Change-Id: I77dcf4a2f7d9c770c805a649f2ddc6bee5f83389

 src/ptserver/ptprocs.c |   20 +++++++++++++-------
 1 files changed, 13 insertions(+), 7 deletions(-)

-- 
OpenAFS Master Repository