[OpenAFS] Setting the setacl on newly created volumes

Charles Clancy mgrtcc@cs.rose-hulman.edu
Sat, 21 Jul 2001 10:42:47 -0500


> While I don't really see a problem allowing the owner to be specified
> for vos create, I'd like to point out that you can just create a
> kerberos principal that is in system:administrators that the AFS
> server has a key to and authenticates as.  It's certainly not a
> security exposure; given root on a db server, I can use pt_util to add
> something to system:administrators.

We did exactly that on our systems (K5/AFS).  We wanted to have a
web-based utility for users to change their passwords, and help-desk
staff to take care of basic tasks such as password resets and home
volume quota increases, without having direct access to an admin
account.  The web server has access to the keytab with the key, and the
scripts will "kinit;aklog;do-task;unlog;kdestroy" for each transaction
requiring administrative access.

First, create a principal:
krb# kadmin.local
kadmin.local: addprinc root/admin -randkey
kadmin.local: ktadd -k /etc/rootadmin.keytab root/admin
kadmin.local: ^D

Then, create an AFS PTS entry, and make admin:
krb# pts create root.admin
krb# pts add root.admin system:administrators
krb# bos adduser root.admin

To become admin:
host$ kinit -k -t /etc/rootadmin.keytab root/admin
host$ aklog

You won't be prompted for a password.  Just make sure
/etc/rootadmin.keytab is chmod 400, or something.
_________________________________________
Charles Clancy, mgrtcc@cs.rose-hulman.edu
sysadmin emeritus - RHIT Computer Science