[OpenAFS-devel] kuserok() checking UID ownership on afs

Douglas E. Engert deengert@anl.gov
Thu, 03 Feb 2005 06:35:33 -0600


Jeffrey Hutzelman wrote:

>>> 1. Aquire krbtgt (forwarded or with passwd) to memory
>>> 2. Setup AFS stuff (afs service ticket, token, pag) if possible
>>> 3. Evaluvate .k5login
>>> 4. Decide if user is OK
>>> 5. Give ticket to user
>>> 6. Login user into pag from above
> 
> 
>> Its not the Kerberos code that needs bending its the login applications
>> need to get credentials to access the potential home directory
>> before trying to access any files in the home directory.
> 
> 
> Unfortunately, you're both trying to solve not the problem that Troy and 
> Russ were actually discussing.  You're trying to solve the "I can't 
> access the user's .k5login" problem, but the problem they were talking 
> about is "how can I prove that no one _except_ the user could have 
> written to the .k5login?".
> 

Those are both valid problems,

Maybe its time to get rid of the .k5login, it has some security implications
where a user can give access to his accounts. Some sites might not like
this flexibility.

The related problem I would like to solve, is I don't want to have to have
the dot files world readable so root on a machine I am on can read the
.k5login without a token. and don't have to play all the games of symlinks
to a dotfile directory with rl.


> -- Jeff
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444