On 12/7/2016 8:06 AM, Harald Barth wrote: > > The security advisory says: > >> We further recommend that administrators salvage all volumes with the >> -salvagedirs option, in order to remove existing leaks. > > Is moving the volume to another server enough to fix this as well or > does the leak move with the volume?
The leak will move with the volume. A bit of background for those that are not steeped in the details of the AFS3 protocol and client and file server access for directories. AFS file servers store directory information in a flat file that consists of a header, a hash table and a fixed number of directory entry blocks. When a client reads the contents of a directory, it fetches the directory file in exactly the same way it fetches the contents of normal files and symlinks. The AFS3 callback mechanism works the same for directory files as it does for normal files and symlinks. An AFS dump can be thought of as an AFS specific "tar" variant which stores AFS Volume metadata and data elements. When a volume dump is constructed for a volume move, a volume release, a volume backup, etc. the contents of the directory files are copied into the dump stream exactly as they are stored on disk by the file server. When a volserver receives a dump and writes it to disk as part of a AFSVol_VolForward or AFSVol_Restore operation, each directory file is written to disk as it exists within the dump. Backup systems that store full and incremental dump files do so without modifying the contents during the backup or restore operations. As a result restoring from a backup will restore any leaked information. Backup systems that parse AFS dumps and reconstruct AFS dumps during the restore process might or might not store and restore the leaked information. Contact the provider of your backup system. It is worth emphasizing that IBM AFS and OpenAFS volserver operations including all backup and restore operations occur in the clear. Therefore, all leaked information will be visible to passive viewers on the network segments across which volume backups and moves occur. What the salvager's "-salvagedirs" option does is force the salvager to rewrite every directory object. This has two benefits when performed by a 1.6.20 or later salvager. 1. It will build a directory file that contains no leaked information stored in the original directory file. 2. It will compact the directory to reduce fragmentation that could have resulted in directory full errors when attempting to store a filename that required more directory blocks than are available contiguously. I hope this information is helpful. Jeffrey Altman
<<attachment: jaltman.vcf>>
smime.p7s
Description: S/MIME Cryptographic Signature
