[OpenAFS] keeping openafs from breaking group security
Matthew Miller
mattdm@mattdm.org
Sun, 6 Feb 2005 12:54:07 -0500
On Sun, Feb 06, 2005 at 12:26:13PM -0500, Kris Van Hees wrote:
> What you are seeing is due to how the PAG id is encoded in the groups.
> With the new Linux 2.6 kernel stuff that should go away since other
> facilities like the keyring support can be used for things like this.
I guess that's part of my question: I'm using the Linux 2.6 kernel now; how
soon will this "go away"?
> The answer to the security risk of encoding the PAG in the group ids is of
> course in part that when you're using AFS you could be using the AFS ACLs
> for securing access to directories rather than using Unix user and group ids.
For things in AFS you could be. But in a mixed environment (a.k.a. "the real
world"), that's not always possible.
It's fine for OpenAFS to have security features which *augment* Unix
security. It's not so good for it to have "features" which *defeat* it.
--
Matthew Miller mattdm@mattdm.org <http://www.mattdm.org/>
--> Fedora Users & Developers Conference, hosted by Boston University <--
February 18th, 2005 <http://fedoraproject.org/fudcon/>