[OpenAFS] Re: [OpenAFS-announce] OpenAFS Security Advisory 2007-001: privilege
escalation in Unix-based clients
Kim Kimball
dhk@ccre.com
Fri, 23 Mar 2007 07:45:49 -0600
I'm still wondering if
a. Removing system:anyuser from ACLs will prevent this privilege escalation
b. Removing system:anyuser from ACLs except "system:anyuser l" will
prevent the privilege escalation (i.e. the only occurrence of
system:anyuser is with l permission)
Any definitive conclusions?
Thanks!
Kim
Kim Kimball wrote:
> Yes, but I thought this depended on a file in the cache that had been
> retrieved over an unauthenticated connection.
>
> Lookup won't put a file in the cache.
>
>
> Jeffrey Altman wrote:
>> Kim Kimball wrote:
>>
>>> If I abandon use of system:anyuser, except for lookup, does that get
>>> the
>>> job done?
>>>
>>> It seems to me that this forces all connections capable of fetching
>>> data
>>> to be authenticated. If I'm reading the alert correctly, this would
>>> prevent FetchStatus exploit?
>>>
>>> Kim
>>>
>>
>> Lookup is performed via FetchStatus
>>
>> Jeffrey Altman
>>
>>
>>