[OpenAFS] Re: [OpenAFS-announce] OpenAFS Security Advisory 2007-001: privilege escalation in Unix-based clients
Wed, 21 Mar 2007 14:19:24 -0400
On Mar 21, 2007, at 13:42, Derrick J Brashear wrote:
> On Wed, 21 Mar 2007, Derek Atkins wrote:
>> Quoting Derrick J Brashear <firstname.lastname@example.org>:
>>> On Wed, 21 Mar 2007, ted creedon wrote:
>>>> Therefore, two cells could be used, one suid and the other for
>>> You could, but that's not going to prevent the attack unless you
>>> ensure all access to the setuid cell is authenticated and enforce
>>> that at the client end
>> Well, if everything in the suidcell is system:authuser... That would
>> enforce that, right?
> Not at the client end... Well, you can probably make it work but
> the server's idea of ACL and what it means enforces nothing at the
Damn, well, aren't we all up a protocol pickle without a paddle...
I was hoping to come up with some amazing suggestion, or at least
something more encouraging to say. I ain't got nothin'.