[OpenAFS] Re: Group creation by foreign users
Danko Antolovic
dantolov@indiana.edu
Mon, 17 Oct 2011 10:15:40 -0400
There is still something inconsistent about the behavior of foreign
users with respect to group creation. Here are some further details:
On the client machine, I hold the token to the cell afs1.bedrock.iu.edu,
as a foreign user dantolov@ads.iu.edu, with group quota zero. I can
create a group, which I can't subsequently delete, and that group has
the owner/creator set as system:administrators (-204). (Not shown here,
but if the group quota of the foreign user is set to a positive number,
the quota does not change when the user creates groups.)
[root@dantolov dantolov]# tokens
Tokens held by the Cache Manager:
User's (AFS ID 130863) tokens for afs@afs1.bedrock.iu.edu [Expires Oct
14 18:41]
--End of list--
[root@dantolov dantolov]# pts examine 130863 -cell afs1.bedrock.iu.edu
Name: dantolov@ads.iu.edu, id: 130863, owner: system:administrators,
creator: system:administrators,
membership: 1, flags: S----, group quota: 0.
[root@dantolov dantolov]# pts creategroup foo -cell afs1.bedrock.iu.edu
group foo has id -224
[root@dantolov dantolov]# pts delete foo -cell afs1.bedrock.iu.edu
pts: Permission denied deleting foo (id: -224)
Interestingly, creating another user entry, as a foreign user, fails
with insufficient privilege, as does pts listentries:
[root@dantolov dantolov]# pts createuser joe -cell afs1.bedrock.iu.edu
pts: Permission denied ; unable to create user joe
[root@dantolov dantolov]# pts listentries -users -cell afs1.bedrock.iu.edu
Name ID Owner Creator
pts: Permission denied ; unable to list entries
[root@dantolov dantolov]# pts listentries -groups -cell
afs1.bedrock.iu.edu
Name ID Owner Creator
pts: Permission denied ; unable to list entries
On the server machine, afs1.bedrock.iu.edu, I hold the token as a local
admin user, dantolov, with unlimited group quota. I can create groups
with the correct owner/creator, and delete them as well. (As a non-admin
user, I can create and delete prefixed groups with the correct
owner/creator, and the non-admin user's group quota changes as expected.)
[root@afs1c afs]# tokens
Tokens held by the Cache Manager:
User's (AFS ID 2) tokens for afs@afs1.bedrock.iu.edu [Expires Oct 14 11:16]
--End of list--
[root@afs1c afs]# pts examine 2
Name: dantolov, id: 2, owner: system:administrators, creator: anonymous,
membership: 1, flags: S----, group quota: unlimited.
[root@afs1c afs]# pts creategroup boo
group boo has id -225
[root@afs1c afs]# pts listent -groups
Name ID Owner Creator
system:administrators -204 -204 -204
system:backup -205 -204 -204
system:anyuser -101 -204 -204
system:authuser -102 -204 -204
system:ptsviewers -203 -204 -204
system:authuser@ads.iu.edu -209 -204 32766
foo -224 -204 -204
boo -225 2 2
There is no file NoAuth on the server machine:
[root@afs1c afs]# ls /usr/afs/local
BosConfig fssync.sock SALVAGE.fs salvage.lock sysid sysid.old
and I don't know if this line in BosConfig has any relevance:
[root@afs1c afs]# cat /usr/afs/local/BosConfig
restrictmode 0
...
Andrew Deason wrote:
> On Tue, 11 Oct 2011 15:08:11 -0400
> Danko Antolovic <dantolov@indiana.edu> wrote:
>
>
>> How does the group creation/deletion works for foreign users? In the
>> example below, I hold the token for the cell afs1.bedrock.iu.edu, as a
>> foreign user sharetsb@ads.iu.edu, ID 196399; that user has the group
>> quota of zero. All the same, I can create prefixed and prefixless
>> groups, all of which have the owner and creator -204, regardless of
>> anything. I can also delete these groups at will.
>>
>> This does not appear quite right. Can anyone advise?
>>
>
> This was mentioned earlier in private, but for the list: this is what
> you see when you're running with -noauth.
>
>