On Wed, 21 Mar 2007, Derek Atkins wrote:

Quoting Derrick J Brashear <[EMAIL PROTECTED]>:

On Wed, 21 Mar 2007, ted creedon wrote:

Therefore, two cells could be used, one suid and the other for everything

You could, but that's not going to prevent the attack unless you ensure all access to the setuid cell is authenticated and enforce that at the client end

Well, if everything in the suidcell is system:authuser...  That would
enforce that, right?

Not at the client end... Well, you can probably make it work but the server's idea of ACL and what it means enforces nothing at the client.

OpenAFS-info mailing list

Reply via email to