[OpenAFS] Re: [OpenAFS-announce] OpenAFS Security Advisory 2007-001:
privilege escalation in Unix-based clients
Kim Kimball
dhk@ccre.com
Wed, 21 Mar 2007 15:47:37 -0600
This is a multi-part message in MIME format.
--------------020307090907050307010907
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
If I abandon use of system:anyuser, except for lookup, does that get the
job done?
It seems to me that this forces all connections capable of fetching data
to be authenticated. If I'm reading the alert correctly, this would
prevent FetchStatus exploit?
Kim
Derrick J Brashear wrote:
> On Wed, 21 Mar 2007, ted creedon wrote:
>
>> Therefore, two cells could be used, one suid and the other for
>> everything
>> else?
>
> You could, but that's not going to prevent the attack unless you
> ensure all access to the setuid cell is authenticated and enforce that
> at the client end
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
--------------020307090907050307010907
Content-Type: text/x-vcard; charset=utf-8;
name="dhk.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="dhk.vcf"
begin:vcard
fn:Dexter 'Kim' Kimball
n:Kimball;Dexter
email;internet:dhk@ccre.com
tel;work:970-207-1474
tel;fax:866-514-9676
tel;home:970-215-6359
tel;cell:818-726-6392
x-mozilla-html:TRUE
version:2.1
end:vcard
--------------020307090907050307010907--