[OpenAFS] Questions about AFS security
Charles Clancy
security@xauth.net
Sun, 20 Jan 2002 17:24:00 -0600 (CST)
On Sun, 20 Jan 2002, Derrick J Brashear wrote:
> Charles Clancy wrote:
> > System:administrators can do all the vos, pts, and fs commands. Members
> > of 'bos listusers' can do bos stuff, like stop/restarting the server
> > processes, and the 'bos exec' too. People who have had 'kas setfields
> > <user> -flags admin' can manage the kaserver (create users, etc), but
> > you're not using that.
>
> Not quite true. vos operations may use UserList (bos listuser) if they
> involve manipulating ot quite true. In many cases vos operations use
> UserList; You are, after all, manipulating the server's disk.
Looks like your editor mutilated your message. I think I get the idea,
though.
I tested the following as a member of system:administrators:
addsite add a replication site
backup make backup of a volume
create create a new volume
dump dump a volume
release release a volume
remove delete a volume
remsite remove a replication site
rename rename a volume
restore restore a volume
and was able to do all of them without any 'access denied' errors. I took
that sampling to mean all vos commands worked. Which ones don't?
--
t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy