Thanks to Michael, we now have mail delivery into AFS working on deleuze. All mail delivery takes place using the user's own AFS tokens. This means there is no "mail delivery superuser" identity with the power to write to all mailboxes. This eliminates the mount-point security issue that cclausen aptly pointed out a few weeks back.
The basic chain of authentication works as follows: exim4 runs as root exim setuid()'s itself to the user for whom the mail is being delivered that UNIX userid can read deleuze:/etc/keytabs/email/$USER.email.keytab said keytab is used to acquire AFS tokens ... and after that, everything is running with the user's UNIX userid and the user's AFS tokens. The interesting stuff is in /etc/exim4/get-tokens if anybody needs to see how it works. - a -- PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380 _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
