[OpenAFS] Re: afsdacl
Frank Cameron
cameron@ctcnsc.org
Thu, 31 Oct 2002 12:32:59 -0500
On Wed, Oct 30, 2002 at 05:14:10PM -0700, David Bear wrote:
> On 2002 10 29 18:32, Frank J. Cameron wrote:
> > afsdacl -set
>
> Is this executable available elsewhere -- outside of patch3.
>
> otherwise, what does it do as to windows that we might otherwise replicate?
> If it sets regkey acls I could do that with some other mechanism.
You might be able to download Patch 5.1 from here:
http://www.transarc.ibm.com/Downloads/afs36/index.html
>From the patch README:
# Defect 12702
This fix provides a new binary that enables administrators to grant all users
permission to start and stop an AFS service on a Windows NT/2000 system.
A default security descriptor on the afsd server permits the following access:
* Members of the Power Users group and the LocalSystem account have
SERVICE_START, SERVICE_PAUSE_CONTINUE, and SERVICE_STOP access, plus the
access rights granted to all users.
* Members of the Administrators and System Operators groups have
SERVICE_ALL_ACCESS access.
With this default, only Administrative users can start and stop the
afsd_service. To allow all users to start and stop the afsd_service, the DACL
of the AFS service object must be modified. The following command changes the
DACL:
afsdacl [-set] [-revoke]
where:
-set sets the DACL on AFS service to allow all users
in USERS group to start and stop services.
-revoke revokes the DACL. Only administrators can start and stop services.
The afsdacl binary is installed in AFS/Client/Program.
It looks like it modifies the value of this registry key:
HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Security\
Security
It's hard to tell exactly what it does since this key is in hex. I had a document
that described in some detail what was being done; but, I wasn't able to find it
this morning. (Also, I can't remember clearly enough if it was from Transarc
describing this particular tool or from Microsoft describing service security in
general.)