[8528] in Info-AFS_Redistribution

home help back first fref pref prev next nref lref last post

Re: cron on AFS files]

daemon@ATHENA.MIT.EDU (Ken Hornstein)
Sun Mar 4 02:19:18 2001

Message-Id: <200103040710.f247AA920429@ginger.cmf.nrl.navy.mil>
To: Peter Scott <Peter.J.Scott@jpl.nasa.gov>
cc: info-afs@transarc.com
In-reply-to: Your message of "Sat, 03 Mar 2001 18:04:07 PST."
             <4.3.2.7.2.20010303175837.00b2f7a0@mail2a.jpl.nasa.gov> 
Date: Sun, 04 Mar 2001 02:10:11 -0500
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>

>>In case you're wondering .... for users that want this at our site, we
>>give them a special "cron" instance (kenh/cron in V5 format, kenh.cron in
>>V4 format) and let the user add the cron instance to the appropriate ACLs
>>in AFS.  Since that special cron user has restricted priviledges (they
>>can't use it for interactive login by default), I'm confortable with
>>that tradeoff.  But since we use Kerberos 5 with AFS, we use Kerberos 5
>>tools for that, so that won't help you.
>
>Hmmph.  So what do your cron users do when they want to write cron jobs 
>that modify files in AFS?  Trust all their fellow cron users?

The keytab file is protected via Unix permissions; cron jobs that run
under other user's IDs can't read the keytab.

--Ken

home help back first fref pref prev next nref lref last post