[2101] in Info-AFS_Redistribution
Re: root user exposure on AFS client
daemon@ATHENA.MIT.EDU (Steve Dyer)
Tue Oct 19 21:02:30 1993
To: dayjohn@vnet.ibm.com
Cc: info-afs@transarc.com
In-Reply-To: Your message of "Tue, 19 Oct 93 10:43:50 EDT."
Date: Tue, 19 Oct 93 16:00:22 -0400
From: Steve Dyer <dyer@ursa-major.spdcc.com>
The root uid on an AFS client has access to the AFS cache (naturally), and
if you're using an implementation of Kerberos which keeps its tickets
around in an accessible place (as in MIT Kerberos), it is possible for
anyone with root access on that client to steal an unexpired TGT from
another authenticated user on that same client, and use that to authenticate
to an AFS file server, impersonating that person. This really wasn't
a problem in the MIT Athena environment (even with the root pw freely known),
because the AFS client workstations only allowed a single user to log
in at a time, so you wouldn't expect to have a siutation where anyone
else's TGTs were sitting around and accessible to root. Logging out flushed
the Kerberos ticket cache. Of course, you still have the problem
someone browsing the AFS cache. I think there was some thought at MIT
about hacking AFS to allow the cache to be flushed on a per-volume
basis at logout time, but between technical complexity and people's
time, it wasn't deemed a priority (of course, I haven't followed what's
been going on at MIT for a while, so I could be misrepresenting things
as far as the AFS cache is concerned.)
