Hello Jim,
Thanks for pointing out the Phrack page.
I well remember being taught on the Transarc
AFS systems admin course to take care with ACLs.
"If you set system:anyuser rl then expect that
anyone could read the directory contents."
The fact that access may be from an HTTP/AFS gateway
makes no difference to this. Such gateways are useful.
I use a HTTP/DFS gateway to ensure access is blocked
to restricted parts of a DCE/DFS cell.
CellServDB should be considered "public knowledge" like DNS.
I believe there are more important issues that are key
to AFS security such as:
a) restricted access (admin login only) dedicated
database and fileservers (physically secure).
b) regular monitoring for sensible passwords
c) monitoring of server logs
d) peer review of your processes/systems admin
e) contracting a security team to test your setup
--
cheers
paul http://acm.org/~mpb
"Linux: the operating system with a CLUE... Command Line User Environment".
>Everyone may want to take a look at the following article that was in the
>latest issue of Phrack (9-9-99).
>
> Black Book of AFS
> http://www.phrack.com/search.phtml?view&article=p55-13
>
>A pretty simple and basic intro of AFS to the hacker community, however,
>it did reveal a couple of concerns.
[text deleted]
>--
>James J. Barlow <[EMAIL PROTECTED]>
>Senior System Engineer
>National Center for Supercomputing Applications
>605 East Springfield Avenue Voice : (217)244-6403
>Champaign, IL 61820 Cell : (217)840-0601
>http://www.ncsa.uiuc.edu/People/jbarlow Fax : (217)244-1987
