At 10:09 PM 11/29/99 -0500, Jim Knoble wrote: >: This vulnerability would primarily affect machines that allow normal users >: to interactively log onto them. The patch eliminates this vulnerability by >: digitally signing all AT jobs at creation time, and verifying the signature >: at execution time. >Is this really a solution to the problem? It seems to me that the >actual problem is this part > if a malicious user had change access to an existing file owned by > an administrator (it would not need to be an AT job), he or she > could modify it to be a valid AT job and place in the appropriate > folder for execution[....] This could happen a lot of different ways. An admin could have created a file in the temp directory, and it got left somehow. Although this situation isn't ideal, there are lots of scenarios where there will exist some junk file that isn't being used which admins own, and everyone can change. You'll have to do some hunting to find one, as the more important files won't have change control granted to ordinary users. >Isn't that true for most files to which a malicious user has `change' >access? Shouldn't be the case very often. >Regardless of that, how does the patch stop malicious users from >producing AT jobs that have valid signatures and putting them in place? The signature is based on a unique certificate that is stored in the private data, and only admins can access the certificate. So your requirement to use this method (post-fix) to become admin is to be admin. [snip problems with getting to FAQ, etc. - I don't know why it isn't working right] Hope this answers at least some of your questions. David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:15:49 PDT