[137] in Info-AFS_Redistribution
AFS security hole (gaping)
daemon@ATHENA.MIT.EDU (Keith Gorlen)
Wed Jun 12 12:53:23 1991
Date: Wed, 12 Jun 1991 12:28:59 -0400 (EDT)
From: Keith Gorlen <kgorlen+@alw.nih.gov>
To: AFS-Helpline@transarc.com, Info-AFS@transarc.com
Cc: rick troxel <rick@alw.nih.gov>, john powell <jip@alw.nih.gov>
Scenario:
I'm on a SPARC running SunOS 4.0.3 w/ AFS 3.1, and I throw away my AFS
tokens. I then do a "leapto sapporo.dcrt.nih.gov". "leapto" is a shell
script that establishes an X window session on a remote host using "rsh"
to pass the environment:
sparkler% unlog
sparkler% leapto sapporo.dcrt.nih.gov
sapporo.dcrt.nih.gov being added to access control list
ta_rauth: no tokens availableNo remote authentication
sparkler% ta_rauth: no tokens availableNo remote authentication
Starting tm (Version Unknown, ATK 15.5); please wait...
When I get a window on sapporo, I *do* have tokens--somebody elses!
sapporo% tokens
Tokens held by the Cache Manager:
[ 1]User's (AFS ID 2090) tokens for afs@alw.nih.gov [Expires
Jun 16 15:01]
[ 2] --End of list--
sapporo% grep 2090 /etc/passwd
jckelley:X:2090:99:John Kelley:/afs/alw.nih.gov/dcrt/jckelley:/bin/csh
sapporo% groups
33536 32512 1101
sapporo% cd ~jckelley
sapporo% touch kgorlen-did-this
sapporo% ll kgorlen-did-this
-rw-r--r-- 1 jckelley 0 Jun 12 12:02 kgorlen-did-this
Host "sapporo" is a SPARC running SunOS 4.0.3 w/ AFS 3.1 and the NFS/AFS
Translator. "jckelley" is using the NFS/AFS Translator. We use a
script to authenticate to the translator that always specifies a UID
argument to knfs.
I'm beginning to wonder whether the UID argument to knfs really works:
sapporo% knfs helix.nih.gov xxx
sapporo% knfs helix.nih.gov -id xxx
sapporo% knfs helix.nih.gov -id 999 -unlog
sapporo% knfs helix.nih.gov -id xxx -unlog
Note that I never get either of these knfs error messages:
"knfs: can't parse '%s' as a number (UID)\n"
"knfs: failed to unlog (code %d)\n"
Keith Gorlen phone: (301) 496-1111
Building 12A, Room 2033 FAX: (301) 402-0007
National Institutes of Health uucp: uunet!kgorlen%alw.nih.gov
Bethesda, MD 20892 Internet: kgorlen@alw.nih.gov
