[1491] in SIPB-AFS-requests
vbckd, for making vos backups unprivileged
daemon@ATHENA.MIT.EDU (mhpower@MIT.EDU)
Mon Sep 5 18:10:54 1994
From: mhpower@MIT.EDU
Date: Mon, 5 Sep 1994 18:03:39 -0400
To: sipb-afsreq@MIT.EDU
I wrote a server that I'd like to use for making "vos backup" on user
volumes in the sipb cell an unprivileged operation. There seems to be
some interest in lettings users run vos backup on their own user
volume for two reasons:
-- They want their backup volume updated on a different schedule
than generally occurs for the sipb cell, e.g., a more freqeunt
vos backup so they can recover recently deleted files
-- They accidentally leave something in a backup volume accessible
to system:anyuser, and it may be there a long time before an
afs administrator next runs vos backup on their volume. I'd
say this is the more important concern, and it has happpened...
The code for the server is in ~mhpower/src/vbck. Basically, it would
run as root on ronald-ann, authenticate the user via Kerberos, check
for the existence of the normal mountpoint /afs/sipb/user/username,
and then fork off a process to run vos backup with the -localauth
option. The authorization policy is that if you can authenticate as
username@ATHENA.MIT.EDU, then you can run vos backup on user.username
in the sipb cell. Presumably we could stick in exceptions if needed.
The implementation uses Kerberos "private messages" (krb_{mk,rd}_priv)
and also requires the client to decrypt different random data on each
connection, as a protection against replays. Presumably the code might
later be extended to do other things, e.g., adding pts entries.
Although I think this works correctly, I'll hold off on installing it
as root on ronald-ann for at least a week. I'd rather not install
something that (to choose a random example) had the unfortunate side
effect of letting the client create the volume "user.jpkirby".
Matt
