[OpenAFS] pts listentries and system:ptsviewers
Sun, 28 May 2006 14:43:42 -0400
On Wednesday, May 24, 2006 10:59:30 AM -0500 Sidney Cammeresi
> My user is a member of system:ptsviewers but not system:administrators.
> I read from the 1.2.5 release notes (I am not running that version, of
> course) that
> A new system group is created for new cells (system:ptsviewers
> with id -203). If this group exists, members of this group can
> examine and read the entire protection database. They can examine
> all users and groups and can get the membership of any group.
> So I added myself to system:ptsviewers and can view everything,
> but pts listentries fails, saying permission denied. And indeed,
> the documentation for pts listentries says it requires membership in
> Shouldn't it also be okay with membership in system:ptsviewers or is there
> a reason why `can read the entire prdb' shouldn't extend to enumerating
> its contents?
pts listentries works by making multiple calls to the ptserver, each of
which retrieves several entries at once. The call it uses is a relatively
low-level interface which works by scanning the PRDB looking for entries
representing users and groups. The scan starts at a database block number
given by the caller, and continues until 500 entries have been found or the
end of the database is reached. This interface, like all calls which
operate directly on the PRDB at the database block layer, is restricted to
administrators for security reasons.
-- Jeffrey T. Hutzelman (N3NHS) <firstname.lastname@example.org>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA