[OpenAFS] Re: [OpenAFS-announce] OpenAFS Security Advisory 2007-001: privilege escalation in Unix-based clients

Jeffrey Hutzelman jhutz@cmu.edu
Wed, 28 Mar 2007 17:09:25 -0400


On Friday, March 23, 2007 10:04:28 AM -0400 Jeffrey Altman 
<jaltman@secure-endpoints.com> wrote:

>
>
> Kim Kimball wrote:
>> I'm still wondering if
>>
>> a.  Removing system:anyuser from ACLs will prevent this privilege
>> escalation
>> b.  Removing system:anyuser from ACLs except "system:anyuser l" will
>> prevent the privilege escalation (i.e. the only occurrence of
>> system:anyuser is with l permission)
>>
>> Any definitive conclusions?
>>
>> Thanks!
>>
>> Kim
>
> As has been discussed on this list over the last few days, modifying the
> contents of unprotected data retrieved via anonymous connections is just
> one form of attack that can be executed.

What Jeff is trying to say is "no".
Changing ACL's will not prevent this attack.
Changing servers will not prevent this attack.
Period.

The only way to prevent this attack is for clients not to honor suid bits 
from sources not trusted _by the client_.  Since the current AFS client has 
no way to obtain a secure connection to the fileserver with which the user 
cannot tamper, all sources must be considered untrusted.

-- Jeff