[OpenAFS] File ownership/permissions semantics
Fri, 03 Nov 2006 10:48:40 -0500
Quoting "Christopher D. Clausen" <email@example.com>:
>> This script could also touch a file in the class volume
>> so the TAs have the list of users. A simple "rli" will let you do
> You could touch files for other students then. (I'm not sure if that
> would be a bad or not, it would depend if students can get negative
> points for turning in non-functioning code.)
There's really no risk here, tho, unless different students have homework
due at different times. The fact that student A touches a file for student
B only means that the TAs would think that student B exists.. nothing more.
If student B isn't in the class, then it's just a DoS against the TAs
(because they have to do more work to find the real homework). If student
B IS in the class, well, their homework would be due at the same time
as student A, so when the TA looks into ~B/path/to/homework they would still
find student B's results, working or no.
I'll also point out that in the previous approach this attack is even worse!
Student A could create a directory in the class-volume under student B's
name, but make it so student B couldn't access it! Then student B would
be locked out from submitting work at all! I would consider that even
worse than telling the TAs about a student who isn't in the class.
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available