[Full-disclosure] AFS - The Ultimate Sulution?

Hi list,

recently I found myself in an argument which I found interesting. This
is why I want to pass it on to the list since neither me nor my friend
were able to agree on this. Maybe the broader knowledge of this list
will lighten up the matter a bit. Apart from this I think it might
interest many of you.

Core of the discussion is a corporate system with several workstations
all attached to a single network. This network runs an AFS-server which
is supplying the corporation's AFS-cell.
Every workstation boots into a minimal environment which ask for
username and password. Afterwards it uses these to connect to the
AFS-Cell and boots one of several available System-Images which reside
on the AFS-Server. (Both Linux (FC1) and Windows (2000) Images are
available). After booting the OS several important folders and files are
replaced with the user's own data (which only he can access due to
Kerberos authentication). For instance the Linux image gets /etc/passwd,
/etc/shadow, /home/$USER and some others replaced. The custom
/etc/passwd and /etc/shadow will only contain the user himself and the
root-account in order to prevent bruteforcing the passwords.

It seems like this system is quite secure. Even if an attacker should
gain root-access locally he would not be able to access anything he
didn't own in the first place. (So to say other user's files residing in
their private AFS folders.) Also he could cause no destruction to the
system because the system is booted from the same Image every time. Even
if he did something like rm -rf / he would only delete his private files
in the home-folder.

This is kind of a combination of RemoteBoot and AFS.

The well known weakness of RemoteBoot is that - set the case the
communication between the image-server is not encrypted - it is possible
to supply forged images to the workstation. (E.g. by ARP-Spoofing the
AFS however uses Kerberos to authenticate and thus is considered secure.

Now my friend claims that this system could go unmanaged for ages since
the user's data would remain secure even if security holes were
published and exploits released. This seems true.
However I kind of refuse to believe that something this simple can truly
be secure.

The only hole I could come up with is that there would be a remote
vulnerability which an attacker would use to access the running
workstation of somebody else.
However this seems unlikely and quite lame.

Anyone up for anything more sophisticated?

Thanks in advance and happy arguing.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/