[OpenAFS-devel] kuserok() checking UID ownership on afs

[Russ Allbery]

Ken Raeburn <raeburn at MIT.EDU> writes:

> Generally, only if the user actually logs in, turning control of any
> non-home-directory resources over to whomever has write access to the
> home directory or dotfiles.  If I never log in to a system using my AFS
> homedir, and never use my .cshrc file, it doesn't matter if I
> accidentally give you write access to it.  You don't get access to my
> email, and you don't get to use my Kerberos credentials or AFS tokens
> (which I may happily be using from a laptop).

Okay, true, but that seems rather unlikely.  If you never log in, how did
you manage to accidentally give someone else write access to your home
directory?  (And I don't see how changing your .k5login file on a system
you don't log on to gets them access to your credentials or AFS tokens.)

> Accidental world-write access to certain dotfiles while not the
> directory itself (granted, generally not an issue for AFS, with the lack
> of such fine-grained control, unless the dotfiles are symlinks to
> elsewhere).

Oh, I have no problems with checking to be sure that .k5login isn't
word-writable, I just object to checking its ownership.  I should have
made that clearer.  The file mode checks (and even directory mode checks)
don't cause the same problems that the ownership checks cause.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>