[OpenAFS] "group prefix doesn't match owner"
Derrick Brashear
shadow@gmail.com
Mon, 3 May 2010 23:29:45 -0400
On Mon, May 3, 2010 at 11:23 PM, Russ Allbery <rra@stanford.edu> wrote:
> Derrick Brashear <shadow@gmail.com> writes:
>> Russ Allbery <rra@stanford.edu> wrote:
>>> Derrick Brashear <shadow@gmail.com> writes:
>
>>>> A similar "attack" has been discussed before.
>
>>>> pts cg shadow:something
>>>> pts chown shadow:something jaltman
>
>>>> jaltman now owns jaltman:something.
>
>>> This behavior is also really annoying if you have an external group
>>> system whose names you're trying to synchronize with AFS PTS groups.
>
>> only if you track by name and not by id. same issue. :)
>
> Users who create a workgroup named shadow:something and then go to AFS and
> wonder why fs setacl . shadow:something all doesn't work are unlikely to
> be easily patched to track by ID instead.
they should probably avoid chowning the group away between steps a and b.
--
Derrick