[OpenAFS] Proposed changes - restricted mode

[Christopher D. Clausen]

Michael Meffie <mmeffie@sinenomine.net> wrote:
> Simon Wilkinson wrote:
>>
>> On 5 Dec 2010, at 02:55, Derrick Brashear <shadow@dementia.org>
>> wrote:
>>> We tell you that you can, and how, to disable this
>>
>> Perhaps we should ship with it disabled by default?
>
> Yes, I agree, bos exec really should disabled by default, and only
> turned on after people understand the implications. (I've used
> the same trick Derrick mentioned, bos exec/bos getlog. I thought
> I was being clever.)

Someone correct me if this has changed, but be careful enabling 
restricted mode by default.  This adds a line to BosConfig and backing 
out newer binaries with this option enabled for older binaries can cause 
AFS to no longer work as the old binaries do not understand the 
restrictedmode entry in the BosConfig file and give some kind of cryptic 
error or something.  (Or at least I had something like this happen once 
and had to remove the offending line from BosConfig by hand to get my 
old binaries to work again.)

This can be somewhat of a problem when backing out upgrades due to 
whatever problems.

That said, I do think this is a good idea.  Random services (especially 
ones running as root) shouldn't have a default mechanism to run 
arbitrary binaries on a system.  People likely do not realize that 
adding someone to UserList also effectively gives them root access on 
the AFS servers which could be running other services as well.

<<CDC