At 08:17 PM 12/1/99 -0800, Kris Kennaway wrote: >On Tue, 30 Nov 1999, David LeBlanc wrote: > >> >Regardless of that, how does the patch stop malicious users from >> >producing AT jobs that have valid signatures and putting them in place? >> The signature is based on a unique certificate that is stored in the >> private data, and only admins can access the certificate. So your >> requirement to use this method (post-fix) to become admin is to be admin. >Replay attack? I read the patch description as saying that it stores a >signature in the file containing the AT job, which is verified at >execution time. If you can read the job file as another user, you may be >able to resubmit the same job multiple times, if the signature doesn't >include data which is instance-specific (e.g. the job ID). Here's what I was told: "The ACL on an At job file denies read access to non-admins. This prevents non-admins from copying a signed At job into another admin-owned file." BTW, job ID wouldn't be sufficient - those numbers do get reused. If anyone else sees a problem with the current way it works, send mail to secureat_private and/or to me - I'll do my best to follow up. Thanks for pointing this out - though it seems painfully obvious now, I hadn't thought of it on my own. David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:17:10 PDT