[OpenAFS] creating alternate admin accounts for OpenAFS & krb 5

[Matthew N. Andrews]

FBO wrote:

>Hi everyone,
>
>On Wed, Jan 22, 2003 at 01:12:04PM -0500, Derrick J Brashear wrote:
>  
>
>>On Wed, 22 Jan 2003, Lee Damon wrote:
>>
>>    
>>
>>>I can do pts createuser and pts adduser, so I'm clearly running with higher
>>>access.  However, I still can't do a vos create.  This tells me I need to
>>>go back and re-read some documentation about setting an access level somewhere,
>>>but I'm sure I'll figure that out now that this is working.
>>>      
>>>
>>bos listusers (servername) -local
>>bos adduser (servername) nomad.afs -local
>>    
>>
>Are users listet by "listusers" allowed to use any bos command on
>that server?
>
>If yes, nomad.afs could use "bos exec", get the afs-key
>(by ftp or whatever) and take over the whole cell.
>
>Isn't that a security risk?
>
AFS currently doesn't provide facilities for allowing admins to perform 
some, but not
all administrative tasks. There have been several projects to create 
administrative
delegation services which allow fine grained control over who can 
perform what tasks.
I think the one used by the andrew group at cmu is called adm(derrick 
correct me if
my memory is failing here) and cmu cs used a system called jeeves. I'm 
not sure about
the suitability, or availability for public consumption of either of 
these systems though.
This is really a general problem for the administration of all sorts of 
software systems,
and is not really specific to afs.

anyone who knows of other similar services, and can make 
recommendations, or comments
please share.

thanks,
-Matt Andrews

>
>
>
>FBO
>_______________________________________________
>OpenAFS-info mailing list
>OpenAFS-info@openafs.org
>https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
>  
>