AFS access permissions and OSX interaction

Henry B. Hotz hotz at jpl.nasa.gov
Wed Aug 20 20:48:48 CEST 2003 

At 7:04 AM -0600 8/20/03, nepywoda at fnal.gov wrote:
>----- Original Message -----
>From: "Henry B. Hotz" <hotz at jpl.nasa.gov>
>Date: Tuesday, August 19, 2003 2:12 pm
>Subject: Re: AFS access permissions and OSX interaction
>
>  > You know I'm not so sure it's that simple.  How are the AFS tokens
>>  stored?
>>  On OpenAFS I'm pretty sure they're still stored by Unix UID.  The
>>  standard Unix PAG mechanism isn't implemented because it conflicts
>>  with the Security Context done underneath Unix in Mach.  Therefore
>  > if two different users have the same UID then they share the same AFS
>  > token.
>>
>>  Does Arla integrate with the Mach Security Context?  I know the
>  > built-in MIT Kerberos does.
>
>If 2 users with different usernames authenticate themselves with 
>Kerberos but have the same LOCAL UID...then any Joe can come along 
>with a Kerberos ticket and hack into anyone's files. I'm not very 
>informed on the technical aspects of this authentication, but it 
>seems that logically this wouldn't happen because security itself 
>would break down within AFS.

If two (different?) users have the same UID then the OS thinks they 
are the same user and they can hack each other to bits.  They still 
can't touch anyone else with different UIDs.  This is just Unix, it's 
got nothing to do with AFS.  In fact I generally have a toor account 
defined on my machines with UID 0 so I can get root access with the 
shell I want.

My point is that if you have two different users with the same UID 
then they share the same AFS tokens (in addition to all other 
permissions) unless they are in different PAGs.  Kerberos 5 will try 
to associate tickets with login sessions, but the user can still go 
get the other session's ticket if he wants (except on MacOS X).

I'm guessing, but I think the intent of the original question was 
could you just create a local group account and hand it out?  Each 
actual user would then klog to his actual AFS account and go from 
there.  The answer is that this is a "bad idea" (TM).

If, on the other hand, each user has a different UID which has no 
relation to the AFS UID then you're fine.  The only problem is 
confusion.  You don't even have a problem if a local UID happens to 
match up with an AFS UID.
-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the Arla-drinkers mailing list