[OpenAFS] Re: [OpenAFS-announce] OpenAFS Security Advisory
2007-001: privilege escalation in Unix-based clients
Derrick J Brashear
shadow@dementia.org
Wed, 21 Mar 2007 13:42:04 -0400 (EDT)
On Wed, 21 Mar 2007, Derek Atkins wrote:
> Quoting Derrick J Brashear <shadow@dementia.org>:
>
>> On Wed, 21 Mar 2007, ted creedon wrote:
>>
>>> Therefore, two cells could be used, one suid and the other for everything
>>> else?
>>
>> You could, but that's not going to prevent the attack unless you ensure all
>> access to the setuid cell is authenticated and enforce that at the client
>> end
>
> Well, if everything in the suidcell is system:authuser... That would
> enforce that, right?
Not at the client end... Well, you can probably make it work but the
server's idea of ACL and what it means enforces nothing at the client.