[OpenAFS-devel] kuserok() checking UID ownership on afs
Douglas E. Engert
deengert@anl.gov
Thu, 03 Feb 2005 06:35:33 -0600
Jeffrey Hutzelman wrote:
>>> 1. Aquire krbtgt (forwarded or with passwd) to memory
>>> 2. Setup AFS stuff (afs service ticket, token, pag) if possible
>>> 3. Evaluvate .k5login
>>> 4. Decide if user is OK
>>> 5. Give ticket to user
>>> 6. Login user into pag from above
>
>
>> Its not the Kerberos code that needs bending its the login applications
>> need to get credentials to access the potential home directory
>> before trying to access any files in the home directory.
>
>
> Unfortunately, you're both trying to solve not the problem that Troy and
> Russ were actually discussing. You're trying to solve the "I can't
> access the user's .k5login" problem, but the problem they were talking
> about is "how can I prove that no one _except_ the user could have
> written to the .k5login?".
>
Those are both valid problems,
Maybe its time to get rid of the .k5login, it has some security implications
where a user can give access to his accounts. Some sites might not like
this flexibility.
The related problem I would like to solve, is I don't want to have to have
the dot files world readable so root on a machine I am on can read the
.k5login without a token. and don't have to play all the games of symlinks
to a dotfile directory with rl.
> -- Jeff
>
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444