[OpenAFS] groups in groups, ptsviewers etc...

Christopher D. Clausen cclausen@acm.org
Tue, 18 Mar 2008 11:20:51 -0500

Anders Magnusson <ragge@ltu.se> wrote:
> Marcus Watts wrote:
>>> Also, for people to be able to see what's in the protection
>>> database, they must obviously be members
>>> of the (undocumented?) ptsviewers group. Is it safe just to add all
>>> people to this group or are there other
>>> implications of doing so?
>> Depends on if you ever want private groups or not.
>> If you want everybody in your cell to be able to see group
>> membership by default, you're probably better off running ptserver
>> this way: /usr/afs/bin/ptserver -p 16 -default SOM-- SOM--
>> probably you will need to remake your ptserver instances in bos to
>> do this.
> As a follow-up to this question, is there a way to allow users to list
> the pts entries in some way?

Being in system:ptsviewers doesn't help here, as you have probably 
figured out.  You could use something like remctl to allow others to run 
it via delegated access.  Or make modifications to the source code.

> % pts listentries -groups seems to require that the user belongs to
> system:administrators.

I don't think you realize just how many groups there are in some cells. 
Enumerating all of them is not useful in many cases.

Most users are probably fine just checking on their own group membership 
and using these groups to allow access to files.  pts mem <username> 
will list the groups that a user is in.  And pts listowned <username> 
will list the groups that a particular users "owns."