[OpenAFS] creating alternate admin accounts for OpenAFS & krb 5

FBO fbo2@gmx.net
Thu, 23 Jan 2003 09:47:31 +0100


Hi everyone,

On Wed, Jan 22, 2003 at 01:12:04PM -0500, Derrick J Brashear wrote:
> On Wed, 22 Jan 2003, Lee Damon wrote:
> 
> > I can do pts createuser and pts adduser, so I'm clearly running with higher
> > access.  However, I still can't do a vos create.  This tells me I need to
> > go back and re-read some documentation about setting an access level somewhere,
> > but I'm sure I'll figure that out now that this is working.
> 
> bos listusers (servername) -local
> bos adduser (servername) nomad.afs -local
Are users listet by "listusers" allowed to use any bos command on
that server?

If yes, nomad.afs could use "bos exec", get the afs-key
(by ftp or whatever) and take over the whole cell.

Isn't that a security risk?



FBO