[OpenAFS] ACLs and open-afs

Douglas E. Engert deengert@anl.gov
Thu, 10 Oct 2002 16:32:46 -0500 

Derrick J Brashear wrote:
> 
> On Thu, 10 Oct 2002, Jim Rees wrote:
> 
> >   Actually it has turned out to be a blessing. There are very few situations
> >   where in AFS you need to have an ACL on a file.
> >
> > Allow me to vehemently disagree.  Lack of file acls is one of the greatest
> > misfeatures of afs.
> []
> > DCE got a few things right, and this is one of them.
> 
> I have to say I agree with Jim on this one. I wish I had time to work on
> something like this, but sadly AFS isn't my full-time job:-)

Its not my full time job either. 

We tried DCE/DFS as an AFS replacement, and it never did catch on Its gone now.
Complex ACLs was just one of the problems.

Well I guess we can disagree. If the ACLs where on AFS some might use them.

BUT the problems of access rights to a home directory in AFS is a problem, and
it is aggravated by the way the systems access it during login. This has been a 
pet peeve of mine, which has never be resolved. 

During login (or sshd, or whatever) the local system tries to access a home 
directory in AFS without a token. Thus the top level directory needs to be 
at least "l" to follow a symlink to the "rl" directory with world readable dot files.
(And as Jim points out this can be a mess.)

I would argue that if the login daemon obtained a token for the user before
ever looking at the home directory, the home directory would not need to be "l"
and could be protected the way it should be.

The token represents the network user, the Kerbeors/AFS principal, which had been
authenticated via a Kerberos authentication, or a password to the host and to the 
file server. At this point the token can be used, for AFS access, even though the 
local unix UID or home directory has not been determined. 

One place where this would help is with the .k5login file. It is used to determine
that the Kerberos principal can use the local UNIX account because the 
PW.entry->homedir->.k5login and the .k5login lists the name of the principal. 
With current systems this test is done early before a token is obtained, but if
a token for the user was obtained before this, the .k5login could be in the
home directory only readable by the user. 

So if you realy want to improve the access controls on the home directory, get 
the system deamons, and PAM exits to get the token early. 


> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444