[OpenAFS] Questions about AFS security

[Patrick J. LoPresti]

Charles Clancy <security@xauth.net> writes:

> > I know AFS can work within a Kerberos 5 infrastructure, but you have
> > to run krb524d (right?).
> 
> I'm pretty sure you only need krb524d if you're running fakeka (am
> I right, guys?).

I forgot to mention we are also going to have Windows clients, which
may or may not affect the answer to my question.  (I had the
impression that the standard OpenAFS Windows client did not know how
to deal with Kerberos 5 directly.)

> > My question is, does being an AFS administrator automatically allow
> > you to run things as root on the AFS server?  (I thought I read about
> > a "bos exec" command or something.)
> 
> Yes, it does -- i.e. if 'bos listusers' lists your username, which is
> different from 'pts mem system:administrators' listing your username.

Ah, I missed that distinction.  What capabilities do members of
system:administrators have other than managing any ACL?  Can they
release a volume?  Or dump one?  Or move one?

In case it is not obvious, I am trying to design a system where all
routine administrative tasks can be performed by people without root
access on the file servers.

> > If so, is there any way I can disable this?  If not, does anyone have
> > ideas for how I can get a tamper-proof log of the actions of our AFS
> > admins?
> 
> ./configure --enable-bos-restricted-mode
> should do it for you.

I would prefer to use prepackaged RPMs if I can.  But if I must build
my own, I will.

Thank you!

 - Pat