[OpenAFS-devel] kuserok() checking UID ownership on afs

Douglas E. Engert deengert at anl.gov
Thu Feb 3 07:35:33 EST 2005

Jeffrey Hutzelman wrote:

>>> 1. Aquire krbtgt (forwarded or with passwd) to memory
>>> 2. Setup AFS stuff (afs service ticket, token, pag) if possible
>>> 3. Evaluvate .k5login
>>> 4. Decide if user is OK
>>> 5. Give ticket to user
>>> 6. Login user into pag from above
>> Its not the Kerberos code that needs bending its the login applications
>> need to get credentials to access the potential home directory
>> before trying to access any files in the home directory.
> Unfortunately, you're both trying to solve not the problem that Troy and 
> Russ were actually discussing.  You're trying to solve the "I can't 
> access the user's .k5login" problem, but the problem they were talking 
> about is "how can I prove that no one _except_ the user could have 
> written to the .k5login?".

Those are both valid problems,

Maybe its time to get rid of the .k5login, it has some security implications
where a user can give access to his accounts. Some sites might not like
this flexibility.

The related problem I would like to solve, is I don't want to have to have
the dot files world readable so root on a machine I am on can read the
.k5login without a token. and don't have to play all the games of symlinks
to a dotfile directory with rl.

> -- Jeff


  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list