AFS access permissions and OSX interaction
nepywoda@fnal.gov
nepywoda at fnal.gov
Wed Aug 20 15:04:40 CEST 2003
----- Original Message -----
From: "Henry B. Hotz" <hotz at jpl.nasa.gov>
Date: Tuesday, August 19, 2003 2:12 pm
Subject: Re: AFS access permissions and OSX interaction
> At 6:06 PM +0200 8/18/03, Tino Schwarze wrote:
> You know I'm not so sure it's that simple. How are the AFS tokens
> stored?
> On OpenAFS I'm pretty sure they're still stored by Unix UID. The
> standard Unix PAG mechanism isn't implemented because it conflicts
> with the Security Context done underneath Unix in Mach. Therefore
> if
> two different users have the same UID then they share the same AFS
> token.
>
> Does Arla integrate with the Mach Security Context? I know the
> built-in MIT Kerberos does.
> --
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
>
If 2 users with different usernames authenticate themselves with Kerberos but have the
same LOCAL UID...then any Joe can come along with a Kerberos ticket and hack into
anyone's files. I'm not very informed on the technical aspects of this authentication, but
it seems that logically this wouldn't happen because security itself would break down
within AFS.
~~~Paul Nepywoda
More information about the Arla-drinkers
mailing list