[OpenAFS] Re: [OpenAFS-announce] OpenAFS Security Advisory 2007-001:
privilege escalation in Unix-based clients
Douglas E. Engert
deengert@anl.gov
Wed, 21 Mar 2007 16:19:09 -0500
John Hascall wrote:
>> On Wed, 21 Mar 2007, Robert Banz wrote:
>>> So, how was this "fixed" in 1.4.4, other than just turning setuid off by
>>> default?
>
>> It can't be fixed without forcing authenticated connections from cache
>> managers, which means you key all your machines, and we modify the
>> fileserver to not require a pts id to exist for the keyed identity.
>
> Possible kludg" follows. The squeamish may wish to avert eyes... :)
>
> How about if the cache manager marked the fileStatus entry
> as 'fetchedUsecurely' and dropped the suid/sgid mode bits when
> storing it and then if an authed user is referencing it, flush
> the entry and refetch it securely?
>
> How miserable would this be to implement?
That brings up a similar exploit:
Authed user has the session key, from afs/<cell> ticket.
User modifies the stream being protected by his session key,
to turn on suid bit thus gaining root.
This sounds like if root on a machine needs to trust AFS with
/usr and /bin, root better have its own keyed identity.
>
> John
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444