[OpenAFS] eliminating non-ptserver authorization (was: "vos dump" authorization based on "bos adduser")

Adam Megacz megacz@cs.berkeley.edu
Fri, 08 Jun 2007 12:50:12 -0700


"Christopher D. Clausen" <cclausen@acm.org> writes:
> So how would I issue bos shutdown for an entire cell, and then bos 
> startup?

I guess that's the only case where this is a problem.  But how often
does somebody without login access to any of the fileservers shut down
an entire cell (for that matter, how often does anybody ever shut down
an entire cell)?

> Logon to one of the AFS servers so that I have access to the
> KeyFile?  This isn't ideal in certain situations.

If you are on the UserList, can't you (ab)use "bos exec" to steal the
KeyFile anyways?

> Besides, sometimes having a seperate UserList is a good thing and one 
> can restrict certain operations by placing a user in either 
> system:administrators or the UserList, but not both.  Or in the UserList 
> on some servers and not others.

See above; I don't think it's ever secure to put somebody on UserList
but not in system:administrators; they could steal the KeyFile.  As
for the converse, well maybe, but I don't know if I can think of a
compelling use for that situation.  If somebody's in
system:administrators, they can already screw things up pretty badly;
giving them bos access isn't protecting you from all that much.

                             . . . .

I guess the outcome of this thread is that what I'm proposing is
possible, but would not be desirable for all site policies.  I think
the most reasonable solution would be to have bosserver (in this
order):

   1. Check if request is directly signed by KeyFile
   2. Check if user is on UserList
   3. Check if user is in system:administrators

This way, sites that like the way things are now experience no change
except that if all ptservers are down, requests from unauthorized
users will time out rather than being rejected immediately -- but this
only affects users trying to do something they shouldn't have done
anyways.

Sites that prefer to use only ptserver for authorization can simply
leave UserList empty and get the behavior I described earlier.

I'm going to write up a patch that does this.  Whether or not it is
agreeable to the gatekeepers is, of course, another matter entirely,
but at least the patch will be out there for those who want it.

Thanks for everyone who replied and helped me understand this
situation better!

  - a

-- 
PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380