[OpenAFS] Re: AFS version of sudo for admin ?

Andrew Deason adeason@sinenomine.net
Fri, 17 Dec 2010 09:39:46 -0600

On Fri, 17 Dec 2010 16:35:38 +0100
Anders Magnusson <ragge@ltu.se> wrote:

> > This doesn't require you to enter a password for a release, though,
> > which I assumed John wanted (it might help to say which specific
> > aspects of 'sudo' you're looking for). That is, you can still 'kinit
> > foo/admin' and walk away and someone else can vos whatever.
> Eh, how?  You loses your pag when kinit exits, so no credentials
> left...?

As long as you're using that script. Nothing prevents you from acquiring
admin credentials manually and then doing whatever you want.

I'm also assuming he wants to restrict the user to a certain subset of
operations, or to be able to release a certain subset of volumes (like
Russ' afs-backend scripts). You can't just give someone an admin
principal for that.

Andrew Deason