[8528] in Info-AFS_Redistribution
Re: cron on AFS files]
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Sun Mar 4 02:19:18 2001
Message-Id: <200103040710.f247AA920429@ginger.cmf.nrl.navy.mil>
To: Peter Scott <Peter.J.Scott@jpl.nasa.gov>
cc: info-afs@transarc.com
In-reply-to: Your message of "Sat, 03 Mar 2001 18:04:07 PST."
<4.3.2.7.2.20010303175837.00b2f7a0@mail2a.jpl.nasa.gov>
Date: Sun, 04 Mar 2001 02:10:11 -0500
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
>>In case you're wondering .... for users that want this at our site, we
>>give them a special "cron" instance (kenh/cron in V5 format, kenh.cron in
>>V4 format) and let the user add the cron instance to the appropriate ACLs
>>in AFS. Since that special cron user has restricted priviledges (they
>>can't use it for interactive login by default), I'm confortable with
>>that tradeoff. But since we use Kerberos 5 with AFS, we use Kerberos 5
>>tools for that, so that won't help you.
>
>Hmmph. So what do your cron users do when they want to write cron jobs
>that modify files in AFS? Trust all their fellow cron users?
The keytab file is protected via Unix permissions; cron jobs that run
under other user's IDs can't read the keytab.
--Ken