On Mar 21, 2007, at 13:42, Derrick J Brashear wrote:
On Wed, 21 Mar 2007, Derek Atkins wrote:
Quoting Derrick J Brashear <[EMAIL PROTECTED]>:
On Wed, 21 Mar 2007, ted creedon wrote:
Therefore, two cells could be used, one suid and the other for
everything
else?
You could, but that's not going to prevent the attack unless you
ensure all access to the setuid cell is authenticated and enforce
that at the client end
Well, if everything in the suidcell is system:authuser... That would
enforce that, right?
Not at the client end... Well, you can probably make it work but
the server's idea of ACL and what it means enforces nothing at the
client.
Damn, well, aren't we all up a protocol pickle without a paddle...
I was hoping to come up with some amazing suggestion, or at least
something more encouraging to say. I ain't got nothin'.
-rob
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info