[46] in Info-AFS_Redistribution
Re: Setting up AFS -- beware
daemon@ATHENA.MIT.EDU (daemon@ATHENA.MIT.EDU)
Mon Jan 14 04:29:32 1991
Date: Mon, 14 Jan 1991 09:47:12 +0100 (MET)
From: Christer Bernerus <bernerus@cs.chalmers.se>
To: kriso@northstar.dartmouth.edu (Kris Olander),
Cc: info-afs@transarc.com
In-Reply-To: <9101111908.AA05317@pit.awdpa.ibm.com>
\begindata{text,1983048}
\textdsversion{12}
\template{messages}
\excerptedcaption{Excerpts from info-afs: 11-Jan-91 Re: Setting up AFS --
beware Kris Olander@northstar.d (2034)}
\quotation{Shouldn't make any difference. Generally these cron jobs are run
by} \quotation{root which
}\quotation{usually isn't authenticated for access (especially delete/write)
in the} \quotation{/afs tree. Also,
}\quotation{even if root did get authenticated to traverse and delete files
within} \quotation{your cell, it
}\quotation{wouldn't have in any other cell. Please!!!, if anyone can prove
this to} \quotation{be an incorrect} \quotation{statement, let me know!
}I agree with you that if the AFS cell is properly set up, root cannot do much
damage to the file system.
My concern, however, was with the health of the \bold{network}, especially the
link between Stockholm and JvNC. It's only 64 kbits/sec and I don't want to
use it for unnecessary traffic.
\quotation{Root is definitely restricted in AFS.
}I'm not sure what you mean by this, If you mean that root doesn't have any
more special rights than anybody else (i.e. system:anyuser) I agree. But I
don't agree if you mean that root has even more restrictions than anybody else
unauthenticated user.
Maybe there should be another "system" group \italic{system:anyauth }which
would mean \italic{anybody} authenticated in \italic{any} cell. This might
allow us to share files between authenticated users but exclude anyone
unauthenticated, such as root run from cron. Another way of turning this is to
create an group \italic{system:unauth} which then could be given negative
rights somewhere in a cell's tree to stop further root access.
These ideas have probably already been on trial somehere in the Pittsburgh
area maybe someone at Transarc could spread some light on the subject.
For now i'll try
%find / -name <pattern> -exec <command>\\; -o -name /afs -prune
\quotation{
}And see if it works. It doesn't solve the find database problem, but if it
works, I'll feel a bit more comfortable.
Chris.
\quotation{
}
\enddata{text,1983048}
