[1358] in SIPB_Linux_Development
Re: linux security issue
daemon@ATHENA.MIT.EDU (Derek Atkins)
Fri Aug 2 12:22:30 1996
To: Microcomputer Helpline <micro-help@MIT.EDU>, cmh_chen@MIT.EDU
Cc: linux-dev@MIT.EDU, proac@MIT.EDU, ching@MIT.EDU
In-Reply-To: Your message of "Fri, 02 Aug 1996 12:03:27 EDT."
<v02130501ae279e8851b8@[18.81.0.154]>
Date: Fri, 02 Aug 1996 12:21:40 EDT
From: Derek Atkins <warlord@MIT.EDU>
Hi,
The network helpdesk forwarded your message to linux-dev, the group
that created the LInux-Athena port. You said:
> We discovered that the superuser root can have FULL access
> to the account of any user who has logged in to the server via telnet
> in the pass few hours. The following is what we did, while logging in
> to our Athena accounts at our servers:
Actually, they only have access to the AFS homedirectory of the users.
As you mention later, they don't get kerberos tickets, which means
they cannot use zephyr, inc, or any other network services. However,
as you noticed, they can obtain AFS tokens.
Let me ask you a question: Are you using ELF? If so, the answer is
simple. The way to protect user's tokens is by obtaining a PAG, or
process authentication group. However this requires access to AFS
libraries. Until recently, AFS libraries only existed for a.out.
Since the Athena login program couldn't get ELF libraries, the AFS PAG
code was turned off. Now that this is no longer a problem, it will be
turned back on again for the Linux 2.0 packages.
> After this, one will be able to 'become' that user, with full access
> to his/her Athena locker (but no kerberos ticket is obtained, I believe).
> However, several hours after the user logs out, this trick will not work.
> Also, this problem does not happen to users who use xlogin physically at
> the terminal.
The reason is that AFS tokens are cached in the kernel when the user
logs in. Normally they are contained in a PAG, so the superuser
cannot find them. Since PAGs haven't been supported in the ELF login,
only the uid was protecting the AFS tokens from prying superusers.
The reason that it only worked for a few hours is that tokens expire
after 10 hours. So, 10 hours after the user logged in, the tokens
would expire and you would no longer be able to use them using the
"su" technique.
The reason xlogin doesn't have this problem is that it does an
explicit unlog (I believe), at logout. (Xlogin usually gets a PAG,
but it, too, requires AFS libraries to do it -- actually, I think that
Xlogin was only a.out -- check your binary).
> We regard the above as an extremely serious security problem, which
> affects all users telnetting to our servers. We would like to ask for your
> advice on this matter. Please provide us the appropriate instructions to
> fix the problem so that security of Athena user accounts can be fully
> maintained. It will be to everyone's benefit if this problem can promptly
> be solved.
This is a known problem, and the solution is already there. It is
just a matter of recompiling the Linux-Athena sources (which someone
has been working on) and for you to upgrade to the Linux-2.0
Linux-Athena packages, once they become available.
I hope this explains the situation,
-derek
