AFS access permissions and OSX interaction
Henry B. Hotz
hotz at jpl.nasa.gov
Tue Aug 19 21:12:53 CEST 2003
At 6:06 PM +0200 8/18/03, Tino Schwarze wrote:
>On Mon, Aug 18, 2003 at 09:34:19AM -0600, nepywoda at fnal.gov wrote:
>> Earlier I posted to the list about changing the local UID to match the
>> AFS UID in Mac OSX. Some people suggest doing this, but I've never
>> come across the true reason behind it. What I'm wondering is, if 2
>> people have the same local UID, say 501, different AFS UIDs, and login
>> at the same time...can person 1 fool AFS into thinking it owns person
>> 2's files? This seems like a huge security issue to me, so I doubt
>> that would be the case.
>
>AFS always looks at the AFS UID, never at the local UID. At least, it
>should not. *g*
You know I'm not so sure it's that simple. How are the AFS tokens stored?
On OpenAFS I'm pretty sure they're still stored by Unix UID. The
standard Unix PAG mechanism isn't implemented because it conflicts
with the Security Context done underneath Unix in Mach. Therefore if
two different users have the same UID then they share the same AFS
token.
Does Arla integrate with the Mach Security Context? I know the
built-in MIT Kerberos does.
--
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the Arla-drinkers
mailing list