[OpenAFS] creating alternate admin accounts for OpenAFS & krb
Matthew N. Andrews
Thu, 23 Jan 2003 11:35:32 -0800
>On Wed, Jan 22, 2003 at 01:12:04PM -0500, Derrick J Brashear wrote:
>>On Wed, 22 Jan 2003, Lee Damon wrote:
>>>I can do pts createuser and pts adduser, so I'm clearly running with higher
>>>access. However, I still can't do a vos create. This tells me I need to
>>>go back and re-read some documentation about setting an access level somewhere,
>>>but I'm sure I'll figure that out now that this is working.
>>bos listusers (servername) -local
>>bos adduser (servername) nomad.afs -local
>Are users listet by "listusers" allowed to use any bos command on
>If yes, nomad.afs could use "bos exec", get the afs-key
>(by ftp or whatever) and take over the whole cell.
>Isn't that a security risk?
AFS currently doesn't provide facilities for allowing admins to perform
some, but not
all administrative tasks. There have been several projects to create
delegation services which allow fine grained control over who can
perform what tasks.
I think the one used by the andrew group at cmu is called adm(derrick
correct me if
my memory is failing here) and cmu cs used a system called jeeves. I'm
not sure about
the suitability, or availability for public consumption of either of
these systems though.
This is really a general problem for the administration of all sorts of
and is not really specific to afs.
anyone who knows of other similar services, and can make
recommendations, or comments
>OpenAFS-info mailing list