[OpenAFS] Re: "vos dump" authorization based on "bos adduser"?

Adam Megacz megacz@cs.berkeley.edu
Tue, 05 Jun 2007 11:57:29 -0700

Derrick J Brashear <shadow@dementia.org> writes:
> You can have servers with a more limited set of admins.

If they have admin powers on even a single fileserver, can't they
steal the KeyFile and wreak havoc?

>> Actually, now that I think about it, if all the ptserver instances are
>> down, how would an admin be able to aklog (in order to run bos commands)?

> -localauth. (but aklog doesn't *require* ptserver; see afslog)

But localauth doesn't even require the "bos adduser" list...

I guess I'm just wondering if the bos userlist can be eliminated and
bosserver/volserver can use system:administrators instead.  I'll write
up a patch adding an option for this unless there's some reason why
this is a Very Bad Idea.

  - a

PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380