[OpenAFS] keeping openafs from breaking group security

Kris Van Hees aedil-afs@alchar.org
Sun, 6 Feb 2005 12:26:13 -0500


What you are seeing is due to how the PAG id is encoded in the groups.  With
the new Linux 2.6 kernel stuff that should go away since other facilities like
the keyring support can be used for things like this.

The answer to the security risk of encoding the PAG in the group ids is of
course in part that when you're using AFS you could be using the AFS ACLs
for securing access to directories rather than using Unix user and group ids.

	Kris

On Sun, Feb 06, 2005 at 11:40:07AM -0500, Matthew Miller wrote:
> I know I've said this before, but it was broken for a while, and now that
> it's back, I wanted to aggitate about it a bit, because it's a real problem.
> 
> 
> 1. Look in password file to find the group id of a professor or
>    administrator or smart kid with papers you want to steal. Say,
>    44490. Username of "victim".
> 
> 2. Run 'pagsh', and get something like this:
> 
>   $ id
>   uid=18281(mattdm) gid=18281(mattdm)
>   groups=33550,44480,10(wheel),501(bulinux),502(aptgen),18281(mattdm)
> 
> 3. Hmmm. Not good enough. Let's try exiting pagsh and running it again.
>    Now we get:
> 
>   $ id
>   uid=18281(mattdm) gid=18281(mattdm)
>   groups=33550,44481,10(wheel),501(bulinux),502(aptgen),18281(mattdm)
> 
> 
> 4. Cool -- getting closer. Run it, oh, say, 9 more times, and:
> 
>   $ id
>   uid=18281(mattdm) gid=18281(mattdm)
>   groups=33550,44490(victim),10(wheel),501(bulinux),502(aptgen),18281(mattdm)
> 
> 5. Tada! I'm a member of someone else's group.
> 
> 
> OpenAFS has no business breaking normal Unix security -- even if it has done
> this since time immemorial. It has got to be done a different way.
> 
> If I remember right, there *was* talk of doing it some different way. Has
> there been any progress on that?
> 
> In the meantime, is there a simple way to disable this completely?