[OpenAFS] Questions about AFS security

[Charles Clancy]

> I know AFS can work within a Kerberos 5 infrastructure, but you have
> to run krb524d (right?).

I'm pretty sure you only need krb524d if you're running fakeka (am
I right, guys?).

> My question is, does being an AFS administrator automatically allow
> you to run things as root on the AFS server?  (I thought I read about
> a "bos exec" command or something.)

Yes, it does -- i.e. if 'bos listusers' lists your username, which is
different from 'pts mem system:administrators' listing your username.

> If so, is there any way I can disable this?  If not, does anyone have
> ideas for how I can get a tamper-proof log of the actions of our AFS
> admins?

./configure --enable-bos-restricted-mode
should do it for you.

--
t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy