[OpenAFS] Setting the setacl on newly created volumes

Charles Karney ckarney@sarnoff.com
Sat, 28 Jul 2001 22:37:59 -0400 (EDT) 

 > From: Jeffrey Hutzelman <jhutz@cmu.edu>
 > Subject: Re: [OpenAFS] Setting the setacl on newly created volumes
 > Date: Tue, 24 Jul 2001 01:34:49 -0400 (EDT)
 > 
 > On Fri, 20 Jul 2001, Charles Karney wrote:
 > 
 > > To get around this, I would propose one or both of the following
 > > extensions to "vos create"
 > > 
 > > Allow an initial ACL to be specified when a volume is created, e.g.,
 > > 
 > >     vos create server a user.jsmith -max 100000 -acl jsmith all -local
 > >
 > > Alternatively let the owner be specified with
 > > 
 > >     vos create server a user.jsmith -max 100000 -owner jsmith -local
 > 
 > Either of these are hard, but not impossible.  They will require a new
 > variant of the AFSVolCreateVolume RPC, allowing the owner and/or initial
 > ACL to be specified.  They will also require vos or the volserver to
 > perform PTS lookups, which in turn means additional dependencies during
 > the build and when setting up a new cell.  ACL-parsing introduces some
 > additional work, in the form of parsing the ACL on the command line and
 > producing some suitable structure for use over the wire (FWIW, the
 > existing 'fs sa' command does _not_ do any of this -- ACL's are sent to
 > the fileserver in a mostly-text format, and it handles all the name
 > lookups as well as conversion to the format actually used on disk). 

Thanks for the information.  It looks like the most straightforward thing
would be setting the owner, and that would certainly satisfy my needs.
(I'll even accept setting it via a numeric ID if that's easier to
implement.)

 > From: Sam Hartman <hartmans@mekinok.com>
 > Subject: Re: [OpenAFS] Setting the setacl on newly created volumes
 > Date: 21 Jul 2001 07:04:29 -0400
 > 
 > ... I'd like to point out that you can just create a kerberos principal
 > that is in system:administrators that the AFS server has a key to and
 > authenticates as.  It's certainly not a security exposure; given root on
 > a db server, I can use pt_util to add something to
 > system:administrators.

Yes, I understand this (in principle).  My concern is that serious mistakes
can happen when shifting responsibility to a sys admin who is new to AFS.
(E.g., as soon as root acquires a token, all root-owned daemons inherit
this token.  I've also had a problem of root getting a token in a PAG and
then restarting xdm --- then all new xdm users shared a single PAG.  These
are all mistakes I've made in past years!)

For this reason, I believe that allowing an -owner specification on 'vos
create' would actually lead to a safer use of AFS in practise.  Furthermore
the semantics of this option would seem to be quite natural (paralleling
the -maxquota flag).

-- 
Charles Karney			Email:	ckarney@sarnoff.com
Sarnoff Corporation		Phone:	+1 609 734 2312
Princeton, NJ 08543-5300	Fax:	+1 609 734 2586