[OpenAFS] Hardware Grants from Sun
Douglas E. Engert
Fri, 23 Feb 2007 17:36:15 -0600
Jeffrey Hutzelman wrote:
> On Friday, February 23, 2007 04:22:22 PM -0600 "Douglas E. Engert"
> <email@example.com> wrote:
>> Same here. Symlinks to a .Dotfile directory. Messy but works.
>> (My home directory has been in AFS since 1992.)
>> But until this general problem can be solved on *all* platforms
>> one can not tighten down the ACLs on the home directory. Maybe
>> get Sun do somehting about it on their systems. NFSv4 should
>> have the same problem, so maybe they will.
> Exactly what solution should they apply, and why should each OS vendor
> do it unilaterally instead of the Kerberos implementors working
> something out?
Its not really a Kerberos issue, its getting access to the
potential home directory after the user has been authenticated but
before the user has been authorized. The access by root is needed
to help with the authorization and other login activities before
the AFS is normally obtained. Much of this authorization/login
activity is done by the vendor's login code.
The first step is determining if the home directory exists. In the
best world, security wise, the ACL on the parent directory would
at least require system:authuser. Today since root is running
without a token, it has to be at least system:anyuser lookup.
(don'tnit pick this, I am trying to show that security could be
much better if the token was used duing the login authorization
process. The details may be a little off.)
Most OS developers have not had to deal with authenticated access
to a file system with home directories so they have never address
the problems. The access to the .k5login file is just one of these
files. .nologin comes to mind, as do many X11 related files and
.ssh files too.
This problem has been with us since AFS was developed. having to
dink around with symlinks to dot files, or more open ACLs
has never been easy for most users. It has made it difficult to
convince users AFS is good for home directories.
With NFSv4, Sun may have to address some of these issues, and
hopefuly, it will help AFS too. Then in to the other vendors...
> -- Jeff
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439