[OpenAFS] Problems giving a daemon process permanent access to AFS

Jeffrey Hutzelman jhutz@cmu.edu
Thu, 01 Feb 2007 16:59:01 -0500

On Thursday, February 01, 2007 03:57:47 PM -0500 Earl Shannon 
<Earl_Shannon@ncsu.edu> wrote:

> Hello,
> I don't know what all your security considerations are, but I'd suggest
> you create an IP ACL
> in the filespace the daemon needs to access.

Don't do this.  IP-address-based ACL's are not only very insecure but also 
notoriously unreliable.

> If the server doesn't have
> other users on it
> you should be ok.

Sorry, but this is terrible advice.  It is often quite easy for an attacker 
to hijack an IP address; assuming otherwise is asking for trouble.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA