[OpenAFS] keeping openafs from breaking group security
Matthew Miller
mattdm@mattdm.org
Sun, 6 Feb 2005 13:02:23 -0500
On Sun, Feb 06, 2005 at 12:51:45PM -0500, Derrick J Brashear wrote:
> My suggestion in this case would be "stop giving users groups" but I don't
> know your environment. [...]
Environment is "standard chaotic university". However, everyone does have a
specific globally assigned UID. There are a lot of shared systems running
Red Hat Linux or derived distributions (as does a lot of the world), and
it's standard practice for each user to have a private group matching their
user id.
There are a lot of very good and valid reasons for doing this which I don't
think this is the place to discuss -- the important thing is that assigning
supplementary groups is perfectly reasonable, standard Unix behavior, and
OpenAFS is the one imposing the "surprise" breakage.
I know there are many other people not at BU using my OpenAFS RPMs on Fedora
Core. They're probably exposed to this problem too, and might not even know
it, since this isn't exactly highlighted in big letters anywhere.
> [...] If you want to disable PAGs, it seems pretty
> simple; Make the SetPag pioctl a no-op.
Thanks. I'll probably do this until a better place to store this information
can be found.
--
Matthew Miller mattdm@mattdm.org <http://www.mattdm.org/>
--> Fedora Users & Developers Conference, hosted by Boston University <--
February 18th, 2005 <http://fedoraproject.org/fudcon/>