[OpenAFS] Re: [OpenAFS-announce] OpenAFS Security Advisory 2007-001: privilege escalation in Unix-based clients

Derek Atkins warlord@MIT.EDU
Wed, 21 Mar 2007 13:34:41 -0400


Quoting Derrick J Brashear <shadow@dementia.org>:

> On Wed, 21 Mar 2007, ted creedon wrote:
>
>> Therefore, two cells could be used, one suid and the other for everything
>> else?
>
> You could, but that's not going to prevent the attack unless you 
> ensure all access to the setuid cell is authenticated and enforce 
> that at the client end

Well, if everything in the suidcell is system:authuser...  That would
enforce that, right?

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available