[OpenAFS] OpenAFS on Linux 2.5.x
Derek Atkins
warlord@MIT.EDU
17 Apr 2003 17:03:10 -0400
"Neulinger, Nathan" <nneul@umr.edu> writes:
> On a side note - if kerberos cred cache were in the kernel instead of a
> file on disk, I'd probably agree that it would be better to design it so
> that even root couldn't get access to other pags, but it doesn't really
> buy you much right now.
Why not? I regularly do:
get_pag()
kinit warlord/root
aklog <cell>
kdestroy
This is just as effective, no?
-derek
> ------------------------------------------------------------
> Nathan Neulinger EMail: nneul@umr.edu
> University of Missouri - Rolla Phone: (573) 341-4841
> Computing Services Fax: (573) 341-4216
>
>
> > -----Original Message-----
> > From: Derek Atkins [mailto:warlord@MIT.EDU]
> > Sent: Thursday, April 17, 2003 2:34 PM
> > To: Neulinger, Nathan
> > Cc: OpenAFS-info@openafs.org
> > Subject: Re: [OpenAFS] OpenAFS on Linux 2.5.x
> >
> >
> > ok.. I sit corrected.
> >
> > -derek
> >
> > "Neulinger, Nathan" <nneul@umr.edu> writes:
> >
> > > Exactly. And I use this all the time on our linux boxes in
> > conjunction
> > > with kdump -users to clean up token accumulation. Possibly
> > don't need it
> > > any more, but I know there wasn't garbage collection at
> > some point, or
> > > it wasn't enabled. I do something similar on HP, though it it less
> > > accurate due to not having /proc. (Only used on our two interactive
> > > machines where it's ok to say "if you don't have a process
> > owned by you,
> > > you can't have tokens for your ptsid in the kernel".
> > >
> > > -- Nathan
> > >
> > > ------------------------------------------------------------
> > > Nathan Neulinger EMail: nneul@umr.edu
> > > University of Missouri - Rolla Phone: (573) 341-4841
> > > Computing Services Fax: (573) 341-4216
> > >
> > >
> > > > -----Original Message-----
> > > > From: Chaskiel M Grundman [mailto:cg2v@andrew.cmu.edu]
> > > > Sent: Thursday, April 17, 2003 1:55 PM
> > > > To: OpenAFS-info@openafs.org
> > > > Subject: Re: [OpenAFS] OpenAFS on Linux 2.5.x
> > > >
> > > >
> > > > --On Thursday, April 17, 2003 14:38:36 -0400 Derek Atkins
> > > > <warlord@MIT.EDU>
> > > > wrote:
> > > >
> > > > > I do not think you want to be able to join an existing pag.
> > > > That would
> > > > > be a potential security violation. One of the benefits of
> > > > PAGs is that
> > > > > even 'root' can't just join one (without additional kernel
> > > > hacking)...
> > > > No kernel hacking required. if you setgroups a list that
> > > > includes magic pag
> > > > groups at the end, you can join any pag you want (setgroups
> > > > is root only,
> > > > of course)
> > > > _______________________________________________
> > > > OpenAFS-info mailing list
> > > > OpenAFS-info@openafs.org
> > > > https://lists.openafs.org/mailman/listinfo/openafs-info
> > > >
> > > _______________________________________________
> > > OpenAFS-info mailing list
> > > OpenAFS-info@openafs.org
> > > https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> > --
> > Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> > Member, MIT Student Information Processing Board (SIPB)
> > URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> > warlord@MIT.EDU PGP key available
> >
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available