User level permissions

Chris Wing wingc at engin.umich.edu
Sat Jun 26 19:36:04 CEST 1999


Assar:

> > but to make it work as intended you also need this patch to the KTH source
> > to add a few options to kauth:
> > 
> > http://www-personal.engin.umich.edu/~wingc/kthkrb/kauth.patch
> 
> Comitted.

Thanks, but it was really just a hack which still requires a wrapper
script :) At the time I wrote that, we needed klog -pipe for an
authentication app around here, which I have since rewritten with pure
libkafs.

> 
> > http://www-personal.engin.umich.edu/~wingc/kthkrb/kauth-man.patch
> 
> Your man page lists '-i' which is not implemented by your kauth.patch?

Hmm, that's because I forgot this patch:

http://www-personal.engin.umich.edu/~wingc/kthkrb/krb4-afsid.patch

By the way, in order for this to do any good we also need a patch to Arla
itself:

http://www-personal.engin.umich.edu/~wingc/kthkrb/arla-0.21-viceid.patch

You can strip off the comments if you like, but on the other hand it
wouldn't hurt to have more documentation in the source code... Sorry, I
should have sent that patch in earlier :(


*** HOWEVER ***, that isn't the way that it should be done (as regards to
kauth). I added that because the current behavior of KTH-KRB was confusing
to those familiar with the official AFS. Before, klist -tokens would list
all tokens as being owned by AFS ID == your current UID. This was
confusing to people who used klog to get tokens for other AFS accounts. In
the official AFS, klog will set the token's AFSId to be the actual AFSId
of the user (as would be returned by 'pts examine username'). My patch to
kauth only gets the ID out of /etc/passwd, which only works for us because
we synchronize the Unix UID in our passwd files with the AFSId.

So, to do the right thing, we either need to put some of arlalib and pts
into libkafs, so that k_afslog() gets the right AFSId by contacting the
protection database; or, we need to put it into a utility program like
kauth.

If anyone's interested besides me, I'd be willing to try and write a clone
of the real klog in C, that would implement these features.

> > http://www-personal.engin.umich.edu/~wingc/kthkrb/klist-tokens.patch
> 
> The current code works fine if you have just tokens (with code quite
> similar to your patch).  BTW, why do you change warnx to warn?

Because I'm a moron. I was in a hurry when I originally wrote that and
thought that 'x' stood for exit, and of course I was trying to make sure
that the program didn't terminate until it had listed all tokens  :)


Thanks,
Chris

wingc at engin.umich.edu






More information about the Arla-drinkers mailing list