[OpenAFS] AFS version of sudo for admin ?
Chris (Ducky) Chapin
Fri, 17 Dec 2010 14:24:49 -0800
I wrote an afs sudo kind of thing around 2003 or so mainly intended to
replace the adm stuff that ceased working after a server upgrade. It
mostly handles vos releases for end-users but definitely not limited to
Aside from "sudo" in the name and the fact that it handles elevated
privs, it doesn't behave like sudo with configurable token time-out,
etc. It runs as a daemon process on a host under a user that does have
admin access. The client side then contacts this server where they do a
challenge/response sort of thing first over the TCP port (for the
challenge) and then through a spool dir (for the response), which proves
through AFS who the user is. So, it just relies the user having a token
in the first place.
The user is then permitted to run scripts from out of a controlled path
so long as they're in a pts group named after the script, or it finds a
script suffixed with "-anyuser".
Yeah, the auth is definitely a kluge and can't do anything kas releated,
but it works for the ~500 requests/day it gets. Not sure how ready the
code is for public consumption, though. ;)
On 12/17/2010 06:29 AM, John Tang Boyland wrote:
> Does anyone know of a "sudo" like command for AFS admin commands?
> admindo vos release pkg.foo
> It would be nice, but not essential to have the token stick around
> for 5 minutes in case you need to do another admindo soon afterwards.
> OpenAFS-info mailing list