[OpenAFS] ftp overrides AFS permissions

Neulinger, Nathan nneul@umr.edu
Tue, 30 Mar 2004 10:06:20 -0600


That's not very safe. If all you are doing is dropping the pag, if you
ever authenticate as root outside of a pag again on that box (granted,
not a good idea), you'll be giving your new token to the ftp server. You
should just run the ftp server in it's own pag, which can be done with
the standard tools provided with an afs install without having to create
a new one.

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@umr.edu
University of Missouri - Rolla         Phone: (573) 341-6679
UMR Information Technology             Fax: (573) 341-4216
=20

> -----Original Message-----
> From: openafs-info-admin@openafs.org=20
> [mailto:openafs-info-admin@openafs.org] On Behalf Of=20
> Christopher Allen Wing
> Sent: Tuesday, March 30, 2004 8:54 AM
> To: J S
> Cc: openafs-info@openafs.org
> Subject: Re: [OpenAFS] ftp overrides AFS permissions
>=20
> Sure, the usual cause of this problem is that you logged in as root,
> obtained a PAG and an administrator token, and then started the FTP
> server. In this case the FTP server will inherit the PAG and tokens.
>=20
> The solution is to never start a daemon process as root if=20
> you have AFS
> tokens.
>=20
> Here is a program that when run as root will remove the current PAG:
>=20
> 	http://www-personal.engin.umich.edu/~wingc/code/unpagsh.c
>=20
>=20
>=20
> When restarting a daemon process, what I usually do first is:
>=20
> 	1. Become root
>=20
> 	2. Run 'unpagsh' to drop any PAG
>=20
> 	3. Run 'tokens' to make sure that the default PAG for root does
> 	   not have tokens
>=20
>=20
> -Chris Wing
> wingc@engin.umich.edu
>=20
>=20
>=20
> On Tue, 30 Mar 2004, J S wrote:
>=20
> > Hi,
> >
> > I have noticed that when I ftp to a host with an AFS client=20
> as my normal
> > userid, I can cd/del/put into AFS directories where I don't have
> > permissions. I can do this eventhough I haven't logged on=20
> to AFS. The root
> > userid on this box has administrator priviledges on AFS but=20
> I'm ftp'ing with
> > my own userid.
> >
> > Does anyone get this?
> >
> > Thanks for any help.
> >
> > Ed.
>=20
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>=20
>=20