[OpenAFS] ftp overrides AFS permissions

rader@ginseng.hep.wisc.edu rader@ginseng.hep.wisc.edu
Tue, 30 Mar 2004 10:24:47 -0600 

The pam-aware ftpd-bsd is another option.  Isn't that the
preferred ftpd for afs?

steve 
- - - 
systems & network guy
high energy physics
university of wisconsin

 > ---- Original Message ----
 > From: "ted creedon"
 > Russ Alberry has an AFS aware ftp, 
 > 
 > Russ perhaps you could post it on your website?
 > 
 > Tedc
 > 
 > -----Original Message-----
 > From: openafs-info-admin@openafs.org [mailto:openafs-info-admin@openafs.or
 > g]
 > On Behalf Of Neulinger, Nathan
 > Sent: Tuesday, March 30, 2004 8:06 AM
 > To: Christopher Allen Wing; J S
 > Cc: openafs-info@openafs.org
 > Subject: RE: [OpenAFS] ftp overrides AFS permissions
 > 
 > That's not very safe. If all you are doing is dropping the pag, if you
 > ever authenticate as root outside of a pag again on that box (granted,
 > not a good idea), you'll be giving your new token to the ftp server. You
 > should just run the ftp server in it's own pag, which can be done with
 > the standard tools provided with an afs install without having to create
 > a new one.
 > 
 > -- Nathan
 > 
 > ------------------------------------------------------------
 > Nathan Neulinger                       EMail:  nneul@umr.edu
 > University of Missouri - Rolla         Phone: (573) 341-6679
 > UMR Information Technology             Fax: (573) 341-4216
 >  
 > 
 > > -----Original Message-----
 > > From: openafs-info-admin@openafs.org 
 > > [mailto:openafs-info-admin@openafs.org] On Behalf Of 
 > > Christopher Allen Wing
 > > Sent: Tuesday, March 30, 2004 8:54 AM
 > > To: J S
 > > Cc: openafs-info@openafs.org
 > > Subject: Re: [OpenAFS] ftp overrides AFS permissions
 > > 
 > > Sure, the usual cause of this problem is that you logged in as root,
 > > obtained a PAG and an administrator token, and then started the FTP
 > > server. In this case the FTP server will inherit the PAG and tokens.
 > > 
 > > The solution is to never start a daemon process as root if 
 > > you have AFS
 > > tokens.
 > > 
 > > Here is a program that when run as root will remove the current PAG:
 > > 
 > > 	http://www-personal.engin.umich.edu/~wingc/code/unpagsh.c
 > > 
 > > 
 > > 
 > > When restarting a daemon process, what I usually do first is:
 > > 
 > > 	1. Become root
 > > 
 > > 	2. Run 'unpagsh' to drop any PAG
 > > 
 > > 	3. Run 'tokens' to make sure that the default PAG for root does
 > > 	   not have tokens
 > > 
 > > 
 > > -Chris Wing
 > > wingc@engin.umich.edu
 > > 
 > > 
 > > 
 > > On Tue, 30 Mar 2004, J S wrote:
 > > 
 > > > Hi,
 > > >
 > > > I have noticed that when I ftp to a host with an AFS client 
 > > as my normal
 > > > userid, I can cd/del/put into AFS directories where I don't have
 > > > permissions. I can do this eventhough I haven't logged on 
 > > to AFS. The root
 > > > userid on this box has administrator priviledges on AFS but 
 > > I'm ftp'ing with
 > > > my own userid.
 > > >
 > > > Does anyone get this?
 > > >
 > > > Thanks for any help.
 > > >
 > > > Ed.
 > > 
 > > _______________________________________________
 > > OpenAFS-info mailing list
 > > OpenAFS-info@openafs.org
 > > https://lists.openafs.org/mailman/listinfo/openafs-info
 > > 
 > > 
 > _______________________________________________
 > OpenAFS-info mailing list
 > OpenAFS-info@openafs.org
 > https://lists.openafs.org/mailman/listinfo/openafs-info
 > 
 > 
 > _______________________________________________
 > OpenAFS-info mailing list
 > OpenAFS-info@openafs.org
 > https://lists.openafs.org/mailman/listinfo/openafs-info