AFS access permissions and OSX interaction
Henry B. Hotz
hotz at jpl.nasa.gov
Wed Aug 20 20:48:48 CEST 2003
At 7:04 AM -0600 8/20/03, nepywoda at fnal.gov wrote:
>----- Original Message -----
>From: "Henry B. Hotz" <hotz at jpl.nasa.gov>
>Date: Tuesday, August 19, 2003 2:12 pm
>Subject: Re: AFS access permissions and OSX interaction
>
> > You know I'm not so sure it's that simple. How are the AFS tokens
>> stored?
>> On OpenAFS I'm pretty sure they're still stored by Unix UID. The
>> standard Unix PAG mechanism isn't implemented because it conflicts
>> with the Security Context done underneath Unix in Mach. Therefore
> > if two different users have the same UID then they share the same AFS
> > token.
>>
>> Does Arla integrate with the Mach Security Context? I know the
> > built-in MIT Kerberos does.
>
>If 2 users with different usernames authenticate themselves with
>Kerberos but have the same LOCAL UID...then any Joe can come along
>with a Kerberos ticket and hack into anyone's files. I'm not very
>informed on the technical aspects of this authentication, but it
>seems that logically this wouldn't happen because security itself
>would break down within AFS.
If two (different?) users have the same UID then the OS thinks they
are the same user and they can hack each other to bits. They still
can't touch anyone else with different UIDs. This is just Unix, it's
got nothing to do with AFS. In fact I generally have a toor account
defined on my machines with UID 0 so I can get root access with the
shell I want.
My point is that if you have two different users with the same UID
then they share the same AFS tokens (in addition to all other
permissions) unless they are in different PAGs. Kerberos 5 will try
to associate tickets with login sessions, but the user can still go
get the other session's ticket if he wants (except on MacOS X).
I'm guessing, but I think the intent of the original question was
could you just create a local group account and hand it out? Each
actual user would then klog to his actual AFS account and go from
there. The answer is that this is a "bad idea" (TM).
If, on the other hand, each user has a different UID which has no
relation to the AFS UID then you're fine. The only problem is
confusion. You don't even have a problem if a local UID happens to
match up with an AFS UID.
--
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the Arla-drinkers
mailing list