[OpenAFS-devel] kuserok() checking UID ownership on afs

Troy Benjegerdes hozer@hozed.org
Thu, 17 Feb 2005 13:41:52 -0600


On Fri, Feb 04, 2005 at 10:56:23AM -0800, Russ Allbery wrote:
> Russ Allbery <rra@stanford.edu> writes:
> > Troy Benjegerdes <hozer@hozed.org> writes:
> 
> >> On the openafs side of things, I'd like to be able to have AFSid ->
> >> local UID mapping functions as well, so 'ls -l' in someone else's afs
> >> cell can return something intelligent, provided the local admin either
> >> has a mapping daemon running, or has pre-mapped specific remote users.
> 
> > You can do this, but you have to patch libc to override the stat()
> > function and the like.  Unix operating systems don't have any other
> > hooks available to fiddle with the UID.  There isn't any way to do this
> > with PAM or nsswitch.
> 
> On a second reading, if all you care about are the *names* that you get
> from something like "ls -l", you can solve that through nsswitch provided
> that there aren't any UID conflicts between local accounts and AFS.
> 
> If you want the *numbers* to match your local UIDs, that's more what I was
> commenting on.  (And you'll still have a problem if you have conflicts.)

The hypothetical daemon I'm thinking of would communicate with the
kernel AFS components.. the kernel FS layer would map remote cell AFS
ID's to something that does not conflict with any local UID's, and then
the mapping daemon could provide usefull names to userspace via nsswitch
services.