[OpenAFS-devel] kuserok() checking UID ownership on afs

Russ Allbery rra at stanford.edu
Tue Feb 1 20:12:19 EST 2005

Troy Benjegerdes <hozer at hozed.org> writes:

> kuserok() does not work when .k5login is on an afs volume where the
> local unix UID does not match the AFS ID.

> I've also gotten burned by the same type of paranoid UID and permissions
> checks in the courier mail server.

> This breaks cross-realm situations where you might want to allow people
> from multiple realms onto a system, and have local unix UID's not equal
> to the AFS ID.

> Is there a good solution to this? UID mapping seems a possible solution,
> and has apparently been used for GPFS. 
> http://www-1.ibm.com/servers/eserver/clusters/whitepapers/uid_gpfs.html

I've never really understood the purpose served by this sort of ownership
check on security-related dotfiles.  It seems to me that if an attacker
can write to the user's home directory, you've already lost, since they
have control of the user's login files such as .cshrc and can easily
escalate that to control of the account in a wide variety of different

Is there any feasible and likely attack that this particular check is
defending against?

Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the krbdev mailing list