[OpenAFS] keeping openafs from breaking group security
Derrick J Brashear
shadow@dementia.org
Sun, 6 Feb 2005 12:51:45 -0500 (EST)
On Sun, 6 Feb 2005, Matthew Miller wrote:
> On Sun, Feb 06, 2005 at 12:46:23PM -0500, Derek Atkins wrote:
>> "Doctor, doctor, it hurts when I do this...."
>
> Cute, but you miss the point: it could hurt when *other* people do this. I'd
> be better if they weren't able to.
>
> If the "su" command let any user change user ids with no authentication,
> would your solution be to suggest I not do it?
My suggestion in this case would be "stop giving users groups" but I don't
know your environment. If you want to disable PAGs, it seems pretty
simple; Make the SetPag pioctl a no-op.