[OpenAFS] Asecurtiy hole or a mistake of configuration

[Russ Allbery]

Mike Lee <mike.li@bamboonetworks.com> writes:

> When without configure PAM,
> <1>USER1 use klog to login AFS, (tty1)
> <2>switch to another terminal(tty2), login as root , and su USER1, and
> this terminal got a tokens as tty1 without any password

> with PAM configure, it would not be that.

Yes.  This is an artifact of how PAGs (process authentication groups)
work.  Part of what PAM does is create a PAG for you and put your login
session inside it, which means that any AFS tokens that you acquire are
restricted to that particular PAG.  If you don't create a PAG, however,
those tokens are available to any other processes running under the same
UID that also aren't in a PAG (or at least that's my understanding and my
experiments seem to support that).  This is occasionally useful for things
like long-running daemons.

For user logins, though, you generally want to be sure that something puts
each login into a separate PAG.

It's not really a security hole per se, or rather not an additional
security vulnerability.  There are quite a few different ways that someone
with root on the machine can get any active AFS token of any user on that
machine.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>