[OpenAFS] AFS version of sudo for admin ?

Chris (Ducky) Chapin cchapin@qualcomm.com
Fri, 17 Dec 2010 14:24:49 -0800

I wrote an afs sudo kind of thing around 2003 or so mainly intended to 
replace the adm stuff that ceased working after a server upgrade. It 
mostly handles  vos releases for end-users but definitely not limited to 

Aside from "sudo" in the name and the fact that it handles elevated 
privs, it doesn't behave like sudo with configurable token time-out, 
etc. It runs as a daemon process on a host under a user that does have 
admin access. The client side then contacts this server where they do a 
challenge/response sort of thing first over the TCP port (for the 
challenge) and then through a spool dir (for the response), which proves 
through AFS who the user is. So, it just relies the user having a token 
in the first place.

The user is then permitted to run scripts from out of a controlled path 
so long as they're in a pts group named after the script, or it finds a 
script suffixed with "-anyuser".

Yeah, the auth is definitely a kluge and can't do anything kas releated, 
but it works for the ~500 requests/day it gets. Not sure how ready the 
code is for public consumption, though. ;)


On 12/17/2010 06:29 AM, John Tang Boyland wrote:
> Does anyone know of a "sudo" like command for AFS admin commands?
> 	admindo vos release pkg.foo
> It would be nice, but not essential to have the token stick around
> for 5 minutes in case you need to do another admindo soon afterwards.
> Regards,
> John
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info