[OpenAFS] ftp overrides AFS permissions

Christopher Allen Wing wingc@engin.umich.edu
Tue, 30 Mar 2004 09:54:02 -0500 (EST)


Sure, the usual cause of this problem is that you logged in as root,
obtained a PAG and an administrator token, and then started the FTP
server. In this case the FTP server will inherit the PAG and tokens.

The solution is to never start a daemon process as root if you have AFS
tokens.

Here is a program that when run as root will remove the current PAG:

	http://www-personal.engin.umich.edu/~wingc/code/unpagsh.c



When restarting a daemon process, what I usually do first is:

	1. Become root

	2. Run 'unpagsh' to drop any PAG

	3. Run 'tokens' to make sure that the default PAG for root does
	   not have tokens


-Chris Wing
wingc@engin.umich.edu



On Tue, 30 Mar 2004, J S wrote:

> Hi,
>
> I have noticed that when I ftp to a host with an AFS client as my normal
> userid, I can cd/del/put into AFS directories where I don't have
> permissions. I can do this eventhough I haven't logged on to AFS. The root
> userid on this box has administrator priviledges on AFS but I'm ftp'ing with
> my own userid.
>
> Does anyone get this?
>
> Thanks for any help.
>
> Ed.