[OpenAFS] bos getlog
Derrick J Brashear
shadow@dementia.org
Sat, 21 Jul 2001 14:22:14 -0400 (EDT)
On Sat, 21 Jul 2001, Charles Clancy wrote:
> > > Couldn't we limit the files it grabs to those in /usr/afs/logs?
> > > I'm just thinking of possible attack scenarios:
> > 4 is pointless if you have 3; just use bos exec.
>
> I never noticed "bos exec". Wow.
>
> In order to create volumes, you have to be in the bos superusers,
> correct? It seems to me there should be a distinction between someone
> able to administer volumes and someone able to remotely run commands as
> root on the AFS server.
Check out the bosserver restricted mode (more info in the NEWS file; use
--enable-bos-restricted-mode at configure time to enable it)
-D