On Mar 21, 2007, at 13:42, Derrick J Brashear wrote:

On Wed, 21 Mar 2007, Derek Atkins wrote:

Quoting Derrick J Brashear <[EMAIL PROTECTED]>:

On Wed, 21 Mar 2007, ted creedon wrote:
Therefore, two cells could be used, one suid and the other for everything
else?
You could, but that's not going to prevent the attack unless you ensure all access to the setuid cell is authenticated and enforce that at the client end

Well, if everything in the suidcell is system:authuser...  That would
enforce that, right?

Not at the client end... Well, you can probably make it work but the server's idea of ACL and what it means enforces nothing at the client.

Damn, well, aren't we all up a protocol pickle without a paddle...

I was hoping to come up with some amazing suggestion, or at least something more encouraging to say. I ain't got nothin'.

-rob
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to