AFS access permissions and OSX interaction

nepywoda@fnal.gov nepywoda at fnal.gov
Wed Aug 20 21:14:31 CEST 2003 


----- Original Message -----
From: "Henry B. Hotz" <hotz at jpl.nasa.gov>
Date: Wednesday, August 20, 2003 1:48 pm
Subject: Re: AFS access permissions and OSX interaction
> If two (different?) users have the same UID then the OS thinks they 
> are the same user and they can hack each other to bits.  They still 
> can't touch anyone else with different UIDs.  This is just Unix, 
> it's 
> got nothing to do with AFS.  In fact I generally have a toor 
> account 
> defined on my machines with UID 0 so I can get root access with the 
> shell I want.
> 
> My point is that if you have two different users with the same UID 
> then they share the same AFS tokens (in addition to all other 
> permissions) unless they are in different PAGs.  Kerberos 5 will 
> try 
> to associate tickets with login sessions, but the user can still go 
> get the other session's ticket if he wants (except on MacOS X).
> 
> I'm guessing, but I think the intent of the original question was 
> could you just create a local group account and hand it out?  Each 
> actual user would then klog to his actual AFS account and go from 
> there.  The answer is that this is a "bad idea" (TM).
> 
> If, on the other hand, each user has a different UID which has no 
> relation to the AFS UID then you're fine.  The only problem is 
> confusion.  You don't even have a problem if a local UID happens to 
> match up with an AFS UID.
> -- 
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
> 

I think I forgot to mention that I didn't mean joe and fred both have UID say 501 
on the SAME machine....just that 501 is the default UID for OSX. So if Joe is on 
machine 1 and Fred is on machine 2, both have local (to their computer) UIDs of 
501. Certainly if they were on the same machine with the same UID there would 
be problems. I'm talking about 2 different machines. I assume that a token not 
only binds to a UID, but also to a computer/IP address/PAG. 

Sorry about the confusion.

~~~Paul Nepywoda

More information about the Arla-drinkers mailing list