Coda File System

Re: process authentication groups (resent)

From: Love <lha_at_stacken.kth.se>
Date: 13 May 1998 22:01:21 +0200
"J.A. Harkes" <Jan.Harkes_at_cwi.nl> writes:

> "Peter J. Braam" wrote:
> > - any process can execute newpag and thereby leave an
> > authentication group of which is was a member
> 
> This fact combined with the `simple' incremental pag-allocation in your
> patch creates the possibility for malicious users to `impersonate'
> another user.
> 
> Let's say I know a user P has pag #x, It is trivial to implement:
> 
>    while (getpag() != x) newpag();
>    exec('/bin/sh' something)
> 
> And presto, an authenticated shell.

Am I missing something but:

   Assume I have a fast computer and can to 10 000 000 setpag()/s. [1]
   Using 64 bits unsigned counters yield:

     (2^64-1)/10000000/3600/24/365 = 58494 years to wrapp around.

My Kerberos tickets only last 8h. Its easier to hack root and
steal the ticketfile.


The real reson to have pags are so you can have multiple xterm's
with diffrent rights (like admin, luser, luser i other cell)
and don't need to run clog/afslog/aklog/vfsh. pag's are good
and you want to use it.

Love


[1] My alpha (433au/433 DigitalUnix 4.0c using Tramsarc's setpag)
    does this is 4 seconds.
Received on 1998-05-13 16:02:56