[OpenAFS] ftp overrides AFS permissions
Christopher Allen Wing
wingc@engin.umich.edu
Tue, 30 Mar 2004 11:16:36 -0500 (EST)
Sure, that also works. I guess there are several pieces of advice:
1. Don't get AFS tokens as root if at all possible
2. If you need to get AFS tokens as root, make sure that you
obtain a new PAG first.
3. Make sure that the FTP server is behaving properly. Often,
there may be PAM-related bugs. The desired behavior is:
each new incoming FTP connection forks off a separate
process
each new FTP process obtains a separate PAG and token
If the FTP server is not behaving like this, then it's likely you
will have all sorts of AFS related problems. A classic bug is that
the server obtains an AFS token before changing UID; in this case,
it will give the token to root which is not what you want.
-Chris
wingc@engin.umich.edu
On Tue, 30 Mar 2004, Neulinger, Nathan wrote:
> That's not very safe. If all you are doing is dropping the pag, if you
> ever authenticate as root outside of a pag again on that box (granted,
> not a good idea), you'll be giving your new token to the ftp server. You
> should just run the ftp server in it's own pag, which can be done with
> the standard tools provided with an afs install without having to create
> a new one.
>
> -- Nathan