[OpenAFS] ftp overrides AFS permissions
Sergio Gelato
Sergio.Gelato@astro.su.se
Tue, 30 Mar 2004 18:18:39 +0200
* Christopher Allen Wing [2004-03-30 09:54:02 -0500]:
> The solution is to never start a daemon process as root if you have AFS
> tokens.
Indeed. One can think of several approaches (not all of them mutually
exclusive; different daemons may have different requirements):
(1) run daemons PAGless, run interactive root sessions PAGfull, and
never restart a daemon directly but always via requests to another daemon
such as initd (see Bernstein's daemontools for an example of this approach).
If the daemon isn't a child of your interactive session, it won't inherit
your PAG, terminal, etc.
(2) make the daemon startup script set a new PAG to run the daemon in.
(If several daemons need to share a PAG, one could run an instance of
svscan or equivalent inside that PAG. Handy if one of the daemons is there
to periodically renew tokens for the others.)
(3) drop PAG and tokens before starting a daemon that doesn't rely on (2).
Drop PAGless root tokens at any time (a PAGless cron job or daemon could
do this) if any sensitive daemons are being run PAGless.
> When restarting a daemon process, what I usually do first is:
> 1. Become root
> 2. Run 'unpagsh' to drop any PAG
> 3. Run 'tokens' to make sure that the default PAG for root does
> not have tokens
4. Run 'unlog' to drop any such tokens.
How about doing 2. and 4. in a cron job at regular intervals? Maybe also 3.,
just to have a record of when someone goofed.