[OpenAFS] OpenAFS on Linux 2.5.x

Neulinger, Nathan nneul@umr.edu
Thu, 17 Apr 2003 14:39:53 -0500 

On a side note - if kerberos cred cache were in the kernel instead of a
file on disk, I'd probably agree that it would be better to design it so
that even root couldn't get access to other pags, but it doesn't really
buy you much right now.

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216


> -----Original Message-----
> From: Derek Atkins [mailto:warlord@MIT.EDU]=20
> Sent: Thursday, April 17, 2003 2:34 PM
> To: Neulinger, Nathan
> Cc: OpenAFS-info@openafs.org
> Subject: Re: [OpenAFS] OpenAFS on Linux 2.5.x
>=20
>=20
> ok..  I sit corrected.
>=20
> -derek
>=20
> "Neulinger, Nathan" <nneul@umr.edu> writes:
>=20
> > Exactly. And I use this all the time on our linux boxes in=20
> conjunction
> > with kdump -users to clean up token accumulation. Possibly=20
> don't need it
> > any more, but I know there wasn't garbage collection at=20
> some point, or
> > it wasn't enabled. I do something similar on HP, though it it less
> > accurate due to not having /proc. (Only used on our two interactive
> > machines where it's ok to say "if you don't have a process=20
> owned by you,
> > you can't have tokens for your ptsid in the kernel".
> >=20
> > -- Nathan
> >=20
> > ------------------------------------------------------------
> > Nathan Neulinger                       EMail:  nneul@umr.edu
> > University of Missouri - Rolla         Phone: (573) 341-4841
> > Computing Services                       Fax: (573) 341-4216
> >=20
> >=20
> > > -----Original Message-----
> > > From: Chaskiel M Grundman [mailto:cg2v@andrew.cmu.edu]=20
> > > Sent: Thursday, April 17, 2003 1:55 PM
> > > To: OpenAFS-info@openafs.org
> > > Subject: Re: [OpenAFS] OpenAFS on Linux 2.5.x
> > >=20
> > >=20
> > > --On Thursday, April 17, 2003 14:38:36 -0400 Derek Atkins=20
> > > <warlord@MIT.EDU>
> > > wrote:
> > >=20
> > > > I do not think you want to be able to join an existing pag.=20
> > >  That would
> > > > be a potential security violation.  One of the benefits of=20
> > > PAGs is that
> > > > even 'root' can't just join one (without additional kernel=20
> > > hacking)...
> > > No kernel hacking required. if you setgroups a list that=20
> > > includes magic pag
> > > groups at the end, you can join any pag you want (setgroups=20
> > > is root only,
> > > of course)
> > > _______________________________________________
> > > OpenAFS-info mailing list
> > > OpenAFS-info@openafs.org
> > > https://lists.openafs.org/mailman/listinfo/openafs-info
> > >=20
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
>=20
> --=20
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available
>=20