[OpenAFS] Re: "vos dump" authorization based on "bos adduser"?
Derrick J Brashear
shadow@dementia.org
Tue, 5 Jun 2007 15:26:38 -0400 (EDT)
On Tue, 5 Jun 2007, Adam Megacz wrote:
>
> Derrick J Brashear <shadow@dementia.org> writes:
>> You can have servers with a more limited set of admins.
>
> If they have admin powers on even a single fileserver, can't they
> steal the KeyFile and wreak havoc?
>
>>> Actually, now that I think about it, if all the ptserver instances are
>>> down, how would an admin be able to aklog (in order to run bos commands)?
>
>> -localauth. (but aklog doesn't *require* ptserver; see afslog)
>
> But localauth doesn't even require the "bos adduser" list...
>
> I guess I'm just wondering if the bos userlist can be eliminated and
> bosserver/volserver can use system:administrators instead. I'll write
> up a patch adding an option for this unless there's some reason why
> this is a Very Bad Idea.
bosserver can't depend on ptserver..