[OpenAFS] Is member of a machine group honored as system:authuser?

Thu, 25 Jan 2018 10:06:39 -0500

This is a cryptographically signed message in MIME format.

--------------ms080800090301030402050401
Content-Type: multipart/mixed;
 boundary="------------96E3083A6B21B18F47C4F30B"
Content-Language: en-US

This is a multi-part message in MIME format.
--------------96E3083A6B21B18F47C4F30B
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 1/24/2018 2:31 PM, Ximeng Guan wrote:
> Hello,
>=20
> I am trying to make some effective use of machine groups in AFS to acco=
mmodate certain requirement of licensed software. I read about the featur=
e, and noticed that in the 1998 edition of the book "Managing AFS, The An=
drew File System" by Richard Campbell, the following text appeared in Cha=
pter 7 p.230:
>=20
> "...
> There is one final quirk to the implementation: it's common for several=
 top-level directories of the AFS namespace to be permitted only to syste=
m:authuser, that is, any user can access the rest of the namespace, but o=
nly if the user has been authenticated as a user, any user, of the curren=
t cell. Machine groups are intended to be useful for any person logged in=
 to a workstation so that software licenses can be honestly followed. The=
refore, when an unauthenticated user is using a machine that is a member =
of a group entry on an ACL, the user's implicit credential is elevated to=
 system:authuser, but only if the machine entry in the group is an exact =
match, not a wildcard.
>=20
> This rule permits any user of a given desktop to effectively have syste=
m:authuser credentials for a directory. As long as that directory has an =
ACL that includes the specific machine's IP address as a member of a grou=
p entry, any user of the desktop, and only that desktop, would have acces=
s to the directory.=20
> ...
> "

This text was true prior to IBM AFS 3.2 but has not been true for any
release since IBM AFS 3.3.  As of AFS 3.3 the Current Protection Set for
a host includes neither system:anyuser nor system:authuser.  In other
words, hosts are not users.

> That is exactly what we have in the top-level directories in our cell: =
We have "system:authuser rl" on the ACL of root.cell.=20
>=20
> Access list for . is
> Normal rights:
>   system:administrators rlidwka
>   system:authuser rl
>=20
> Then when I create a machine-based pts entry 10.12.8.31, add it to a ne=
w group named machinegrp, and wait for >2 hours to let it be effective (a=
ccording to dafileserver's man page)
>=20
> $ pts member machinegrp
> Members of machinegrp (id: -250) are:
>   10.12.8.31
>=20
> I would expect that a local user on 10.12.8.31, even without an AFS tok=
en, would be able to "cd" into the top directory of the cell. But in real=
ity that does not happen. An unauthenticated user is denied of access.=20

This is working as designed because the ACL does not include the host
identity.
>=20
> When I explicitly put "machinegrp rl" on the ACL of the cell's top dire=
ctory (root.cell), an unauthenticated user is indeed able to access the A=
FS space.=20
>=20
> This is not quite convenient, because to allow the user of that specifi=
c machine to launch a license software installed in a certain (deep) dire=
ctory under AFS, for example /afs/cellname/tools/vendors/abc/softwarexx/b=
in, we would have to explicitly place "machinegrp l" on the ACL of the pa=
rent directories of ./bin from /softwarexx all the way up to /cellname.=20
>=20
> Then if we have another software and another machine group, we will hav=
e to do the same again, and the ACL of our root.cell directory will soon =
be populated with machine group entries. That does not seem to be an eleg=
ant solution.=20
>=20
> Did I miss anything here?=20

Perhaps.

The problem you are attempting to solve is that there exist directories
and files that must be accessible only from a particular subset of
trusted machines.  This data is only supposed to be visible to users of
those machines and no one else.

What you are possibly missing is that IP ACLs are not a form of
authentication and they cannot be used to provide any integrity
protection or wire privacy.  Any data that is accessed by the host
without a user's AFS token is going to be transmitted in the clear.
In addition, IP addresses can be spoofed.

This use case is one that AuriStorFS was explicitly designed to address.
 AuriStorFS client hosts can be keyed using Kerberos v5 principals.
AuriStor's RX security class supports combined identity authentication
providing the file server both the identity of the user and the identity
of the host.  Finally, the AuriStorFS Access Control language permits
different access permissions to be granted to each of the following
combinations:

  authenticated user on unauthenticated host
  authenticated user on authenticated host
  anonymous user on authenticated host
  anonymous user on anonymous host

The anonymous user on authenticated host communications with the file
server are authenticated using the host principal and all data is both
integrity protected and encrypted for wire privacy.

Jeffrey Altman
AuriStor, Inc.

--------------96E3083A6B21B18F47C4F30B
Content-Type: text/x-vcard; charset=utf-8;
 name="jaltman.vcf"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
 filename="jaltman.vcf"

begin:vcard
fn:Jeffrey Altman
n:Altman;Jeffrey
org:AuriStor, Inc.
adr:Suite 6B;;255 West 94Th Street;New York;New York;10025-6985;United St=
ates
email;internet:jaltman@auristor.com
title:Founder and CEO
tel;work:+1-212-769-9018
note;quoted-printable:LinkedIn: https://www.linkedin.com/in/jeffreyaltman=
=3D0D=3D0A=3D
	Skype: jeffrey.e.altman=3D0D=3D0A=3D
=09
url:https://www.auristor.com/
version:2.1
end:vcard

--------------96E3083A6B21B18F47C4F30B--

--------------ms080800090301030402050401
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
DIIwggXpMIIE0aADAgECAhBAAV7gPRitcrlGsJTzkwjvMA0GCSqGSIb3DQEBCwUAMDoxCzAJ
BgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVuVHJ1c3QxFzAVBgNVBAMTDlRydXN0SUQgQ0EgQTEy
MB4XDTE3MTAwMzAzMTczM1oXDTE4MTEwMzAzMTczM1owgYUxLTArBgNVBAsMJFZlcmlmaWVk
IEVtYWlsOiBqYWx0bWFuQGF1cmlzdG9yLmNvbTEjMCEGCSqGSIb3DQEJARYUamFsdG1hbkBh
dXJpc3Rvci5jb20xLzAtBgoJkiaJk/IsZAEBEx9BMDE0MjdFMDAwMDAxNUVFMDNEMTg3QTAw
MDA0QUE1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqqJC89ZA1DSS7t/Ug8Dd
BQv5nBDumInWtFvHwVCORitVCvlkX4SfqKpERATq0eHOSc0zEz1PUjhAT8lgbNj8Bs92pL9t
DW/VHHpq11w06rCEmZJNxgErAIvMpRuAhGrzvBpQBLj8nDArHWw+5nRn/KnK7ZO81LEEj4TG
w0PEKGSa0aFA+JdRTJ6BZSDP2o/8AHx+Bw4JgW8VppAe4IuY/F+JoYtyQDL+fm1YMnFMtf1A
6IvlGXD7gMksPRbVIfD+QpHZbQvNXZAVVDaCWZuWQq46Vl4lSlkmW9yMlGddvFGl2zSMK7ny
f0kbWJLw9lZxXDegY0/ciJPACPsyBwuyLwIDAQABo4ICnTCCApkwDgYDVR0PAQH/BAQDAgWg
MIGEBggrBgEFBQcBAQR4MHYwMAYIKwYBBQUHMAGGJGh0dHA6Ly9jb21tZXJjaWFsLm9jc3Au
aWRlbnRydXN0LmNvbTBCBggrBgEFBQcwAoY2aHR0cDovL3ZhbGlkYXRpb24uaWRlbnRydXN0
LmNvbS9jZXJ0cy90cnVzdGlkY2FhMTIucDdjMB8GA1UdIwQYMBaAFKRz2u9pNYp1zKAZewgy
+GuJ5ELsMAkGA1UdEwQCMAAwggEsBgNVHSAEggEjMIIBHzCCARsGC2CGSAGG+S8ABgsBMIIB
CjBKBggrBgEFBQcCARY+aHR0cHM6Ly9zZWN1cmUuaWRlbnRydXN0LmNvbS9jZXJ0aWZpY2F0
ZXMvcG9saWN5L3RzL2luZGV4Lmh0bWwwgbsGCCsGAQUFBwICMIGuGoGrVGhpcyBUcnVzdElE
IENlcnRpZmljYXRlIGhhcyBiZWVuIGlzc3VlZCBpbiBhY2NvcmRhbmNlIHdpdGggCklkZW5U
cnVzdCdzIFRydXN0SUQgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vc2Vj
dXJlLmlkZW50cnVzdC5jb20vY2VydGlmaWNhdGVzL3BvbGljeS90cy9pbmRleC5odG1sMEUG
A1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly92YWxpZGF0aW9uLmlkZW50cnVzdC5jb20vY3JsL3Ry
dXN0aWRjYWExMi5jcmwwHwYDVR0RBBgwFoEUamFsdG1hbkBhdXJpc3Rvci5jb20wHQYDVR0O
BBYEFNefZrPaqPUvaS6V6kAmHDwFhoDiMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
BDANBgkqhkiG9w0BAQsFAAOCAQEAKlssrfOJ5+WwHyhFSeSsioN0qpg2QDX/uvodF38JbquO
1U0my0j3Cc/bwk48++bjzp0Fvk/Kkcmss5/6zzJMjr9rf12QCQfKkbO9nMm8Bg6IP3pYgk0W
/F1h3ZQF3OgBn3zZoOd3f1a6dF6z12MqKA/2g5GKrQFxkdzTGrNw6ISE9uY8ysvc3i2N2kas
HNi5Etk7StZ1jvFX5sQMIeNdlF+z+BU/AyT7NoBS4gCH+ggF+DG7fAYywvy42Lfu8p6kopKT
5JZpYce1cNjnOaDhzhgeR+oXxoDbekF27JinXHQSKjBxhujcZu5leAkpctFpZxnIKZJZUBiu
31Nm7xYaijCCBpEwggR5oAMCAQICEQD53lZ/yU0Md3D5YBtS2hU7MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVuVHJ1c3QxJzAlBgNVBAMTHklkZW5UcnVz
dCBDb21tZXJjaWFsIFJvb3QgQ0EgMTAeFw0xNTAyMTgyMjI1MTlaFw0yMzAyMTgyMjI1MTla
MDoxCzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVuVHJ1c3QxFzAVBgNVBAMTDlRydXN0SUQg
Q0EgQTEyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ZFNPM8KJzSSrkvpmtQl
a3ksT+fq1s9c+Ea3YSC/umUkygSm9UkkOoaoNjKZoCx3wef1kwC4pQQV2XHk+AKR+7uMvnOC
Iw2cAVUP0/Kuy4X6miqaXGGVDTqwVjaFuFCRVVDTQoI2BTMpwFQi+O/TjD5+E0+TAZbkzsB7
krk4YUbA6hFyT0YboxRUq9M2QHDb+80w53b1UZVO1HS2Mfk9LnINeyzjxiXU/iENK07YvjBO
xbY/ftAYPbv/9cY3wrpqZYHoXZc6B9/8+aVCNA45FP3k+YuTDC+ZrmePQBLQJWnyS/QrZEdX
saieWUqkUMxPQKTExArCiP61YRYlOIMpKwIDAQABo4ICgDCCAnwwgYkGCCsGAQUFBwEBBH0w
ezAwBggrBgEFBQcwAYYkaHR0cDovL2NvbW1lcmNpYWwub2NzcC5pZGVudHJ1c3QuY29tMEcG
CCsGAQUFBzAChjtodHRwOi8vdmFsaWRhdGlvbi5pZGVudHJ1c3QuY29tL3Jvb3RzL2NvbW1l
cmNpYWxyb290Y2ExLnA3YzAfBgNVHSMEGDAWgBTtRBnA0/AGi+6ke75C5yZUyI42djAPBgNV
HRMBAf8EBTADAQH/MIIBIAYDVR0gBIIBFzCCARMwggEPBgRVHSAAMIIBBTCCAQEGCCsGAQUF
BwICMIH0MEUWPmh0dHBzOi8vc2VjdXJlLmlkZW50cnVzdC5jb20vY2VydGlmaWNhdGVzL3Bv
bGljeS90cy9pbmRleC5odG1sMAMCAQEagapUaGlzIFRydXN0SUQgQ2VydGlmaWNhdGUgaGFz
IGJlZW4gaXNzdWVkIGluIGFjY29yZGFuY2Ugd2l0aCBJZGVuVHJ1c3QncyBUcnVzdElEIENl
cnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL3NlY3VyZS5pZGVudHJ1c3QuY29t
L2NlcnRpZmljYXRlcy9wb2xpY3kvdHMvaW5kZXguaHRtbDBKBgNVHR8EQzBBMD+gPaA7hjlo
dHRwOi8vdmFsaWRhdGlvbi5pZGVudHJ1c3QuY29tL2NybC9jb21tZXJjaWFscm9vdGNhMS5j
cmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIBhjAdBgNV
HQ4EFgQUpHPa72k1inXMoBl7CDL4a4nkQuwwDQYJKoZIhvcNAQELBQADggIBAA3hgq7S+/Tr
Yxl+D7ExI1Rdgq8fC9kiT7ofWlSaK/IMjgjoDfBbPGWvzdkmbSgYgXo8GxuAon9+HLIjNv68
BgUmbIjwj/SYaVz6chA25XZdjxzKk+hUkqCmfOn/twQJeRfxHg3I+0Sfwp5xs10YF0Robhrs
CRne6OUmh9mph0fE3b21k90OVnx9Hfr+YAV4ISrTA6045zQTKGzb370whliPLFo+hNL6XzEt
y5hfdFaWKtHIfpE994CLmTJI4SEbWq40d7TpAjCmKCPIVPq/+9GqggGvtakM5K3VXNc9VtKP
U9xYGCTDIYoeVBQ65JsdsdyM4PzDzAdINsv4vaF7yE03nh2jLV7XAkcqad9vS4EB4hKjFFsm
cwxa+ACUfkVWtBaWBqN4f/o1thsFJHEAu4Q6oRB6mYkzqrPigPazF2rgYw3lp0B1gSzCRj+j
RtErIVdMPeZ2p5Fdx7SNhBtabuhqmpJkFxwW9SBg6sHvy0HpzVvEiBpApFKG1ZHXMwzQl+pR
8P27wWDsblJU7Qgb8ZzGRK9l5GOFhxtN+oXZ4CCmunLMtaZ2vSai7du/VKrg64GGZNAKerEB
evjJVNFgeSnmUK9GB4kCZ7U5NWlU+2H87scntW4Q/0Y6vqQJcJeaMHg/dQnahTQ2p+hB1xJJ
K32GWIAucTFMSOKLbQHadIOiMYIDFDCCAxACAQEwTjA6MQswCQYDVQQGEwJVUzESMBAGA1UE
ChMJSWRlblRydXN0MRcwFQYDVQQDEw5UcnVzdElEIENBIEExMgIQQAFe4D0YrXK5RrCU85MI
7zANBglghkgBZQMEAgEFAKCCAZcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG
9w0BCQUxDxcNMTgwMTI1MTUwNjM5WjAvBgkqhkiG9w0BCQQxIgQg2nAT38aa/r59Hh8HReOi
V2jaQ5t2kjX8wWVbDlVjPGAwXQYJKwYBBAGCNxAEMVAwTjA6MQswCQYDVQQGEwJVUzESMBAG
A1UEChMJSWRlblRydXN0MRcwFQYDVQQDEw5UcnVzdElEIENBIEExMgIQQAFe4D0YrXK5RrCU
85MI7zBfBgsqhkiG9w0BCRACCzFQoE4wOjELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUlkZW5U
cnVzdDEXMBUGA1UEAxMOVHJ1c3RJRCBDQSBBMTICEEABXuA9GK1yuUawlPOTCO8wbAYJKoZI
hvcNAQkPMV8wXTALBglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqG
SIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkq
hkiG9w0BAQEFAASCAQAh9NCxH+xRB63eq8h1BHekNqwsVexRsj0t/akdfxUnMeAx1dEgMYOy
Dw9IO4xswrSldJAanT8Yevgx7YByt/V0K/BOxtybwNEj6clArU4XbKzND+KogahvvpIRoFC/
gD3eHG6WhC1eb+gC93AUMOgZu5JOy/6JgFhMWtw2/sT5iHk92BKmWcmamkG0OxzrY9xXwB3w
UvOQGwg08rREaz1UQhbuNZNkmausqPTiTqPmCR4r86shRsyeYYqes89oidJtmBkMmhk43Lxx
k+7QB41f4Kxtk7fFPeelrowa9m5ISz3WjF77LSrtc71Fh6NPSOTCEaKPaPRmOmes9Que3rJ8
AAAAAAAA
--------------ms080800090301030402050401--