AFS authenticating xdm security issues

Tue, 25 Apr 1995 16:16:16 -0400 

Several weeks ago, Joe Jackson of Transarc posted a security warning
to the transarc 'contacts' list describing a security hole in the
version of AFS authenticating xdm which one of my employees had
contributed to the Transarc software archive.

A user who has an AFS ID but is not in the Unix password file gets
logged in as root.  This is indeed a serious problem.  We had detected
and fixed it long ago, but the person who did this work apparently
forgot to update the copy in the AFS archive.  My apologies.

What Joe's warning failed to note is that our version of xdm was
simply the RPI version with a change so that it didn't stop creating
PAGs after the first 16 logins.  In other words, I think it would be
wise for anyone using an AFS authenticating xdm to explicitly check
for this problem.

Subsequently, Joe sent around another note asserting that another
(unspecified) security problem had been found in our xdm, that we had
been notified, and that our xdm had been removed from the Transarc
archive.

This disturbs me a bit because Transarc had most certainly not
notified us of any such thing.  A fellow AFS user had sent a note to
both Transarc and myself pointing out what they considered to be a
security problem - that our xdm does not pay attention to the AIX
/etc/security/users file.  Specifically, that with our xdm it is not
possible to use this file to limit root logins to console devices.

I do not consider this to be a security problem.  Neither does another
user who contacted me.  At least the R5 distribution of X11 from MIT
does not provide this functionality for AIX.  I don't know about the
R6 version, but I doubt this has changed.

If Joe had bothered to contact me or had responded to my email or
phone call, he might have saved himself the embarrassment of my having
to publish this explanation.

-Rick

-- 
|Rick Cochran                                                607-255-7223|
|Cornell Materials Science Center                    [EMAIL PROTECTED]|
|E20 Clark Hall, Ithaca, N.Y. 14853          cornell!msc.cornell.edu!rick|
|           "Workstations - I bet you can't eat just one!"               |

-- 
|Rick Cochran                                                607-255-7223|
|Cornell Materials Science Center                    [EMAIL PROTECTED]|
|E20 Clark Hall, Ithaca, N.Y. 14853          cornell!msc.cornell.edu!rick|
|           "Workstations - I bet you can't eat just one!"               |

Reply via email to