Gergely, I'm going to prune the majority of the content because I would like to focus on the threats you wish to protect against.
On 3/15/2014 3:33 PM, Gergely Risko wrote: [...] You have proposed a mechanism for locking down some of the RPCs on the VOL and VL services based upon: system:anyuser (the current behavior) system:authuser system:administrator I believe that such broad controls on the RPCs that are not used by the cache managers are reasonable. Doing so will not violate the agreement with IBM on the use of the AFS protocol. However, I'm not sure that doing so will address your specific threats. I also believe there needs to be an additional level to permit system:authuser + authenticated foreign users. [...] > I think this leak is significant to be bothering: > - spammers can get valid email addresses, There are a variety of methods by which spammers do this today: 1. They scan the contents of the "home", "usr", "user", etc. tree in the cell's file system name space. The list of mount points is more often then not system:anyuser "l" or at best system:authuser "l" in order to permit users to see each others home directories and because machines they login into must be able able to access the home directories before the user's authentication tokens have been obtained. 2. "vos listvldb" can be used to obtain the list of all volumes. The user names can often be extracted from the volume names. 3. "vos listaddr" to obtain the list of all file servers combined with "vos listvol" can be used to obtain a list of all volume names. There is little benefit to locking down the vlserver and the volserver if the file system can be searched. > - spammers can confirm based on the stats the list of users that are > actually active on a computer system, The cache manager debug interface (cmdebug) is implemented by all existing AFS cache managers. This interface can be used to obtain the list of FIDs in the cache including the active set of callbacks. The FIDs indicate the cell and the volume by ID. The ID can be converted to a volume name using VL_GetEntryByName*() RPCs that must be open to permit cache managers to lookup the file server/partitions on which a volume is located. The "vos examine" reported statistics are not necessary. There is no authentication on the cache manager debugging interface because there is no mechanism for keying the service. The "volume stats" also are not collected for a specific "computer or device" but for the cell as a whole. > - from the vol stats people can monitor and figure out if someone is > at the computer using AFS which can be part of a bigger social > attack or harrasment scenarios. The volume statistics can indicate which volumes are more actively used. [...] Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
