[OpenAFS] Security Advisory 2007-001: privilege escalation in Unix-based clients
Christopher D. Clausen
cclausen@acm.org
Wed, 28 Mar 2007 16:16:38 -0500
Jeffrey Hutzelman <jhutz@cmu.edu> wrote:
> On Friday, March 23, 2007 10:04:28 AM -0400 Jeffrey Altman
> <jaltman@secure-endpoints.com> wrote:
>> Kim Kimball wrote:
>>> I'm still wondering if
>>>
>>> a. Removing system:anyuser from ACLs will prevent this privilege
>>> escalation
>>> b. Removing system:anyuser from ACLs except "system:anyuser l" will
>>> prevent the privilege escalation (i.e. the only occurrence of
>>> system:anyuser is with l permission)
>>>
>>> Any definitive conclusions?
>>
>> As has been discussed on this list over the last few days, modifying
>> the contents of unprotected data retrieved via anonymous connections
>> is just one form of attack that can be executed.
>
> What Jeff is trying to say is "no".
> Changing ACL's will not prevent this attack.
> Changing servers will not prevent this attack.
> Period.
>
> The only way to prevent this attack is for clients not to honor suid
> bits from sources not trusted _by the client_. Since the current AFS
> client has no way to obtain a secure connection to the fileserver
> with which the user cannot tamper, all sources must be considered
> untrusted.
If there was a way to make the client only use encrypted connections
(force fs setcrypt on and ignore unencrypted connections) would that be
sufficient to prevent the privilege escalation? (I am am aware there
isn't an easy way to do this now.) Or do encrypted connections also not
trust the fileservers?
<<CDC