[OpenAFS] eliminating non-ptserver authorization (was: "vos dump" authorization based on "bos adduser")
Christopher D. Clausen
Fri, 8 Jun 2007 15:23:48 -0500
Adam Megacz <email@example.com> wrote:
> "Christopher D. Clausen" <firstname.lastname@example.org> writes:
>> So how would I issue bos shutdown for an entire cell, and then bos
> I guess that's the only case where this is a problem. But how often
> does somebody without login access to any of the fileservers shut down
> an entire cell (for that matter, how often does anybody ever shut down
> an entire cell)?
>> Logon to one of the AFS servers so that I have access to the
>> KeyFile? This isn't ideal in certain situations.
> If you are on the UserList, can't you (ab)use "bos exec" to steal the
> KeyFile anyways?
There is a --enable-bos-restricted-mode configure option. I'm pretty
sure that it disables bos -exec. Maybe someone can specify what exactly
bos restricted mode enables or disables?