The types of binaries usually kept in a users directory would be executed with a valid token?
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Atkins Sent: Wednesday, March 21, 2007 10:35 AM To: Derrick J Brashear Cc: ted creedon; openafs-info@openafs.org Subject: RE: [OpenAFS] Re: [OpenAFS-announce] OpenAFS Security Advisory2007-001: privilege escalation in Unix-based clients Quoting Derrick J Brashear <[EMAIL PROTECTED]>: > On Wed, 21 Mar 2007, ted creedon wrote: > >> Therefore, two cells could be used, one suid and the other for everything >> else? > > You could, but that's not going to prevent the attack unless you > ensure all access to the setuid cell is authenticated and enforce > that at the client end Well, if everything in the suidcell is system:authuser... That would enforce that, right? -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH [EMAIL PROTECTED] PGP key available _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info