[2195] in Info-AFS_Redistribution
Re: Special SU program?
daemon@ATHENA.MIT.EDU (Marcus Watts)
Fri Nov 19 20:59:03 1993
To: Allen Hebert <allen@ibmoto.com>
Cc: info-afs@transarc.com, dykes@ibmoto.com, sck@ibmoto.com
In-Reply-To: Your message of "Fri, 19 Nov 93 12:51:57 CST."
Date: Fri, 19 Nov 93 19:29:42 -0500
From: Marcus Watts <mdw@umich.edu>
It sounds like:
(1) a really really Bad Evil disgusting Wrong thing to do.
> you have given "other people" an untraceable way
to masquerade as the user. That has a
nasty potential for abuse.
> there could be nasty surprises the user could
pull on mr. unsuspecting system administrator.
(Do YOU know what TIOCSTI does?)
( > rather than trying to duplicate what the user
does elsewhere, it is even Better to watch
as things misbehave for the user. Usually
it's not Just a question of what the user's
environment is, but Also a question of what
the user does. It's almost impossible to get
the user to describe their actions - therefore,
the Only way to get the complete picture is
to Watch. )
(2) it's certainly possible to do. Not easy, but possible.
One way would be:
Write a daemon that runs on the DB servers. Upon receiving a properly
authenticated request from mr. sneaky administrator, it Logs the
request (hopefully mr. sneaky admnistrator is honest enough not
to temper with the log file), forge a ticket in the key of afs for the
user, and ships it back. If you use kerberos ticket files,
the job is a bit harder; you'll need to extract the kerberos
ticket granting ticket key, forge a ticket in that key, and ship it
back. Either solution basically bypasses kerberos, and
therefore entirely bypasses any security promises kerberos could
make. This is a very horrible thing to do, fraught with unpleasant
surprises, because you've changed the fundemental assumptions kerberos
makes. Be very sure you understand and want to do this before you do
it. Naturally, you'd want to pass the token in a secure channel,
decide what authorization method you want to use, and so forth.
Write a client end program that talks to your evil nasty daemon.
It also needs to do a setpag, a setpgrp, setuid, & all the usual
stuff. To entirely duplicate what the user sees, it should
probably in fact start up what amounts to a complete terminal
session and look as much as possible like "login". Doing this may
also lessen the horrible surprises mr. crafty user could pull
on you.
This is a really bad thing you are asking for. I hope you won't do it.
-Marcus Watts
UM ITD RS Umich Systems Group
