[OpenAFS] pts listentries and system:ptsviewers

Jeffrey Hutzelman jhutz@cmu.edu
Sun, 28 May 2006 14:43:42 -0400


On Wednesday, May 24, 2006 10:59:30 AM -0500 Sidney Cammeresi 
<sac@cheesecake.org> wrote:

> My user is a member of system:ptsviewers but not system:administrators.
> I read from the 1.2.5 release notes (I am not running that version, of
> course) that
>
>         A new system group is created for new cells (system:ptsviewers
>         with id -203).  If this group exists, members of this group can
>         examine and read the entire protection database.  They can examine
>         all users and groups and can get the membership of any group.
>
> So I added myself to system:ptsviewers and can view everything,
> but pts listentries fails, saying permission denied.  And indeed,
> the documentation for pts listentries says it requires membership in
> system:administrators.
>
> Shouldn't it also be okay with membership in system:ptsviewers or is there
> a reason why `can read the entire prdb' shouldn't extend to enumerating
> its contents?

pts listentries works by making multiple calls to the ptserver, each of 
which retrieves several entries at once.  The call it uses is a relatively 
low-level interface which works by scanning the PRDB looking for entries 
representing users and groups.  The scan starts at a database block number 
given by the caller, and continues until 500 entries have been found or the 
end of the database is reached.  This interface, like all calls which 
operate directly on the PRDB at the database block layer, is restricted to 
administrators for security reasons.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA