[OpenAFS] Questions about AFS security

Charles Clancy security@xauth.net
Sun, 20 Jan 2002 16:44:51 -0600 (CST) 

On 20 Jan 2002, Patrick J. LoPresti wrote:

> Charles Clancy <security@xauth.net> writes:
>
> > > I know AFS can work within a Kerberos 5 infrastructure, but you have
> > > to run krb524d (right?).
> >
> > I'm pretty sure you only need krb524d if you're running fakeka (am
> > I right, guys?).
>
> I forgot to mention we are also going to have Windows clients, which
> may or may not affect the answer to my question.  (I had the
> impression that the standard OpenAFS Windows client did not know how
> to deal with Kerberos 5 directly.)

Well, you need the win32 Kerberos 5 client installed too.  There's a win32
aklog.exe, that works just fine.  Last summer, I got a client for Windows
98 working great, deployed to 1900-or-so laptops.

> > > My question is, does being an AFS administrator automatically allow
> > > you to run things as root on the AFS server?  (I thought I read about
> > > a "bos exec" command or something.)
> >
> > Yes, it does -- i.e. if 'bos listusers' lists your username, which is
> > different from 'pts mem system:administrators' listing your username.
>
> Ah, I missed that distinction.  What capabilities do members of
> system:administrators have other than managing any ACL?  Can they
> release a volume?  Or dump one?  Or move one?

System:administrators can do all the vos, pts, and fs commands.  Members
of 'bos listusers' can do bos stuff, like stop/restarting the server
processes, and the 'bos exec' too.  People who have had 'kas setfields
<user> -flags admin' can manage the kaserver (create users, etc), but
you're not using that.

> In case it is not obvious, I am trying to design a system where all
> routine administrative tasks can be performed by people without root
> access on the file servers.

Well, a simple system:administrators membership should do it for you.
Also, they'd probably need to be kerberos admins too, but that's
completely unrelated to AFS.

> > > If so, is there any way I can disable this?  If not, does anyone have
> > > ideas for how I can get a tamper-proof log of the actions of our AFS
> > > admins?
> >
> > ./configure --enable-bos-restricted-mode
> > should do it for you.
>
> I would prefer to use prepackaged RPMs if I can.  But if I must build
> my own, I will.

Don't 'bos adduser' your admins, and then you can use the RPMs all around.
I doubt your average admins will need access to the bosserver.  If they
do, then you'd want to recompile with the restricted mode flags.

--
t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy