[OpenAFS] Problems giving a daemon process permanent access to
AFS
Jeffrey Hutzelman
jhutz@cmu.edu
Thu, 01 Feb 2007 16:59:01 -0500
On Thursday, February 01, 2007 03:57:47 PM -0500 Earl Shannon
<Earl_Shannon@ncsu.edu> wrote:
> Hello,
>
> I don't know what all your security considerations are, but I'd suggest
> you create an IP ACL
> in the filespace the daemon needs to access.
Don't do this. IP-address-based ACL's are not only very insecure but also
notoriously unreliable.
> If the server doesn't have
> other users on it
> you should be ok.
Sorry, but this is terrible advice. It is often quite easy for an attacker
to hijack an IP address; assuming otherwise is asking for trouble.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA