[2528] in SIPB-AFS-requests

home help back first fref pref prev next nref lref last post

Re: fun with pts

daemon@ATHENA.MIT.EDU (mhpower@MIT.EDU)
Mon Oct 28 01:15:25 1996

From: mhpower@MIT.EDU
To: marc@MIT.EDU
Cc: sipb-afsreq@MIT.EDU
In-Reply-To: "[2527] in SIPB-AFS-requests"
Date: Mon, 28 Oct 1996 01:15:02 EST

>*Anybody* with an ATHENA.MIT.EDU kerberos principal can now create
>themselves a principal in the sipb cell:

Presumably anyone can also create pts entries in the sipb cell using
kerberos principals such as, say, moira@ATHENA.MIT.EDU.

>                                ... the system:authuser@athena.mit.edu
>group, which can be placed on any acl.

I'm not sure there are many classes of directories for which it's
reasonable to give access to system:authuser@athena.mit.edu but not to
system:anyuser. The only example that comes to mind are directories
that you'd prefer not be randomly browsed on the web. I think trying
to restrict software access using system:authuser@athena.mit.edu is
counterproductive: it has such limited real utility that it just
increases the pressure to use such abominations as "unwrap". I think
we're better off continuing to use system:authuser in the sipb cell.

Matt

home help back first fref pref prev next nref lref last post