[OpenAFS] Re: [OpenAFS-announce] OpenAFS Security Advisory2007-001: privilege escalation in Unix-based clients
ted creedon
tcreedon@easystreet.com
Wed, 21 Mar 2007 10:41:12 -0700
The types of binaries usually kept in a users directory would be executed
with a valid token?
-----Original Message-----
From: openafs-info-admin@openafs.org [mailto:openafs-info-admin@openafs.org]
On Behalf Of Derek Atkins
Sent: Wednesday, March 21, 2007 10:35 AM
To: Derrick J Brashear
Cc: ted creedon; openafs-info@openafs.org
Subject: RE: [OpenAFS] Re: [OpenAFS-announce] OpenAFS Security
Advisory2007-001: privilege escalation in Unix-based clients
Quoting Derrick J Brashear <shadow@dementia.org>:
> On Wed, 21 Mar 2007, ted creedon wrote:
>
>> Therefore, two cells could be used, one suid and the other for everything
>> else?
>
> You could, but that's not going to prevent the attack unless you
> ensure all access to the setuid cell is authenticated and enforce
> that at the client end
Well, if everything in the suidcell is system:authuser... That would
enforce that, right?
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info