[OpenAFS] "group prefix doesn't match owner"

[Derrick Brashear]

On Mon, May 3, 2010 at 10:19 PM, Jeffrey Altman
<jaltman@secure-endpoints.com> wrote:
> On 5/1/2010 6:40 PM, Adam Megacz wrote:
>>
>> Is there any reason why pts won't let system:administrator create groups
>> whose prefix does not match any user?
>>
>> =A0 $pts ex blah
>> =A0 pts: User or group doesn't exist so couldn't look up id for blah
>> =A0 $pts creategroup blah:booh
>> =A0 pts: Badly formed name (group prefix doesn't match owner?) ; unable =
to create group blah:booh
>>
>> Clearly this can be circumvented by system:administrator:
>>
>> =A0 $pts cu blah
>> =A0 User blah has id 100015
>> =A0 $pts creategroup blah:booh -owner blah
>> =A0 group blah:booh has id -1012
>> =A0 $pts delete blah
>> =A0 $pts ex blah:booh
>> =A0 Name: blah:booh, id: -1012, owner: 0, creator: megacz,
>> =A0 =A0 membership: 0, flags: S-M--, group quota: 0.
>>
>> is there a danger in doing this, other than perhaps confusion?
>
> I suspect that the above is a security issue. =A0It means that user 1 can
> be assigned pts id "foo" and if "foo" is deleted (but not foo's groups)
> when user 1 leaves the company, then when user 2 comes along and is
> assigned the unused "foo", s/he will inherit all of the groups that
> belonged to user 1.
>
> I suspect the proper behavior should at some point become that deletion
> of pts id "foo" should remove all of the groups as well.

Shouldn't be true. the ptserver tracks by id, not text name. and I
disagree that the change is needed.

> By intentionally creating groups that are owned by no valid pts id,
> you increase the chance that such an id would be used for another purpose=
.

If it tracked by name.

A similar "attack" has been discussed before.

pts cg shadow:something
pts chown shadow:something jaltman

jaltman now owns jaltman:something.

Derrick