[OpenAFS] OpenAFS Security Releases 1.8.2, 1.6.23 available --> butc & backup security update question --> why only root?

Giovanni Bracco giovanni.bracco@enea.it
Thu, 27 Sep 2018 15:29:38 +0200


OK, I understand, thank you!
Giovanni

On 27/09/2018 15:22, Jeffrey Altman wrote:
> On 9/27/2018 9:11 AM, Giovanni Bracco wrote:
>> I have made some tests - ok it works - but I wonder why the key
>> autentication method is allowed only to root user
>>
>>> -localauth
>>> All butc RPCs require superuser authentication.
>>> This option must be run as root, and server key material must be present.
>>
>> Our backup scripts, which have been running on a dedicated server for
>> many years, run under a dedicated user with administrative powers.
>>
>> Why the availability of a admin token is not sufficient to run butc in a
>> secure way?
>>
>> Giovanni
> 
> A user token can be used to authenticate outgoing connections such as
> those from butc to the buserver or the volserver.  It cannot be used to
> authenticate incoming connections to butc from the backup coordinator
> command ("backup" or "afsbackup" depending upon the packaging.)
> 
> The privilege escalation attack is possible because of butc accepting
> unauthenticated "anonymous" requests that would then result in RPCs
> being issued as a privileged identity to the buserver and the volserver.
>   To close the security hole butc must authenticate all incoming RPCs.
> To do so butc must have knowledge of the cell-wide key because without
> knowledge of that key it cannot decrypt the AFS token presented by the
> RPC issuer.
> 
> Jeffrey Altman
> 
> 

-- 
Giovanni Bracco
phone  +39 351 8804788
E-mail  giovanni.bracco@enea.it
WWW http://www.afs.enea.it/bracco