[OpenAFS] "group prefix doesn't match owner"

[Russ Allbery]

Derrick Brashear <shadow@gmail.com> writes:
> Russ Allbery <rra@stanford.edu> wrote:
>> Derrick Brashear <shadow@gmail.com> writes:

>>> A similar "attack" has been discussed before.

>>> pts cg shadow:something
>>> pts chown shadow:something jaltman

>>> jaltman now owns jaltman:something.

>> This behavior is also really annoying if you have an external group
>> system whose names you're trying to synchronize with AFS PTS groups.

> only if you track by name and not by id. same issue. :)

Users who create a workgroup named shadow:something and then go to AFS and
wonder why fs setacl . shadow:something all doesn't work are unlikely to
be easily patched to track by ID instead.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>