[OpenAFS] bos cron jobs and tokens

Juha Jäykkä juhaj@iki.fi
Fri, 13 Apr 2007 09:05:28 +0300

Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

> > Is there any way to run bos cron jobs out of /afs? It does not look
> Yes and no, yes, and yes.

Took me a while to figure out where each answer belongs. =3D)

> You can mount /afs on a machine, install bosserver & KeyFile, and
> run things.  A job started by bos has all the rights that bos has.

I think you misunderstood me. I wanted to do "bos create -server a -type
cron -instance b -cmd /afs/path/script", which does not seem possible
without opening up the ACLs since bos does not seem to forge any tickets
for the cron job. I could, of course, use what ever means I like to
create the tickets once the script is running, but it is not the *script*
that needs tickets (it simply uses "vos dump ... -localauth" - secure
enough?), but bos itself. (Please use s/tickets/tokens/g as necessary.)

> you want to keep as secure as possible.  You don't say what you want
> your bos job to do - but in general, what you could do with bos cron

Ah, I just want to do a bunch of vos dumps from .backup-volumes. You
probably see where I'm getting at... Is this insecure some way? (We
really need this secure: the backups contain things like exams and
students have access to /afs, so if they can mess with the backup process
they might be able to grab exams beforehand.)


		| Juha J=C3=A4ykk=C3=A4, juolja@utu.fi			|
		| home: http://www.utu.fi/~juolja/		|

Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

Version: GnuPG v1.4.5 (GNU/Linux)