[2180] in Release_Engineering
warning - suid files in afs
daemon@ATHENA.MIT.EDU (qjb@ATHENA.MIT.EDU)
Sat Feb 17 21:45:34 1990
From: qjb@ATHENA.MIT.EDU
Date: Sat, 17 Feb 90 21:45:03 -0500
To: rel-eng@ATHENA.MIT.EDU, vice-squad@ATHENA.MIT.EDU
Please read this message -- it's important.
In the AFS 3.0B code, the default seems to be to allow suid
execution only from the local AFS cell. This is a problem with
an easy solution.
Possibility 1:
To get no change in current functionality, have /etc/rc run
/etc/athena/suid_afs_cells whether or not
/usr/vice/etc/SuidCells exists. If suid_afs_cells is run and
there is no SuidCells file, it explicitely turns on suid
execution for all cells. This allows no change in current
functionality.
Possibility 2:
Provide all public workstations with SuidCells files that
contain the list of cells we want to allow suid execution from.
I think that Possibility 1 is the clear winner for several
reasons:
1. If a new cell is added from which we wish to allow suid
execution, a new release would have to be done to get out the
change to the field.
2. There are many ways of breaking in as root to public
workstations, so preventing private cell owners from being able
to run suid programs from their own cells seems like it is not
worth introducing the problem in #1. It is not a major security
issue to allow setuid execution from all cells on a public
workstation since the equivalent situation with NFS on private
workstations has always existed.
I'd be glad to debate any of these issues.
The fix I recommed is removing the two lines from /etc/rc that
conditionalize the running of suid_afs_cells from /etc/rc.
Jay
