AFS access permissions and OSX interaction

Henry B. Hotz hotz at jpl.nasa.gov
Thu Aug 21 01:44:50 CEST 2003 

At 2:14 PM -0500 8/20/03, nepywoda at fnal.gov wrote:
>----- Original Message -----
>From: "Henry B. Hotz" <hotz at jpl.nasa.gov>
>Date: Wednesday, August 20, 2003 1:48 pm
>Subject: Re: AFS access permissions and OSX interaction
>>  If two (different?) users have the same UID then the OS thinks they
>>  are the same user and they can hack each other to bits.  They still
>>  can't touch anyone else with different UIDs.  This is just Unix,
>>  it's
>>  got nothing to do with AFS.  In fact I generally have a toor
>>  account
>>  defined on my machines with UID 0 so I can get root access with the
>>  shell I want.
>>
>>  My point is that if you have two different users with the same UID
>>  then they share the same AFS tokens (in addition to all other
>>  permissions) unless they are in different PAGs.  Kerberos 5 will
>>  try
>>  to associate tickets with login sessions, but the user can still go
>>  get the other session's ticket if he wants (except on MacOS X).
>>
>>  I'm guessing, but I think the intent of the original question was
>>  could you just create a local group account and hand it out?  Each
>>  actual user would then klog to his actual AFS account and go from
>>  there.  The answer is that this is a "bad idea" (TM).
>>
>>  If, on the other hand, each user has a different UID which has no
>>  relation to the AFS UID then you're fine.  The only problem is
>>  confusion.  You don't even have a problem if a local UID happens to
>  > match up with an AFS UID.
>
>I think I forgot to mention that I didn't mean joe and fred both 
>have UID say 501 on the SAME machine....just that 501 is the default 
>UID for OSX. So if Joe is on machine 1 and Fred is on machine 2, 
>both have local (to their computer) UIDs of 501. Certainly if they 
>were on the same machine with the same UID there would be problems. 
>I'm talking about 2 different machines. I assume that a token not 
>only binds to a UID, but also to a computer/IP address/PAG.

The kernel tracks the token by UID (or by PAG if PAG is implemented). 
Given full Kerberos then the ticket is tied to the machine/IP unless 
it's an addressless ticket or specifically forwarded.

>Sorry about the confusion.

No problem.  ;-)
-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the Arla-drinkers mailing list