NFS permissions are based on notions of "trusted hosts"; it
assumes that if machine Y says user X wants access and
it knows about machine Y, it assumes user X is really user
X and proceeds.
AFS permissions are based on kerberos tickets, and AFS in
fact basically ignores IP addresses (except for IP addresses
in ACL's.) So on the whole, most of the security problems of
NFS just don't exist.
For the NFS/AFS translator, access to AFS files is still
controlled by a kerberos ticket. There isn't any special
code in the AFS file server for NFS. That's why there are
special provisions in klog to ship the kerberos ticket over
to the NFS/AFS translator. Since the files are actually
being accessed by the translator, it should be the
translator's IP address that is used (although with some changes
in semantics, it could be based on the IP address contained in
the kerberos ticket instead.) There is no way it could be the
IP address of the remote NFS machine, 'cause that would make IP
address based permissions trivial to break (just set up
your own translator, and lie about what IP address is
being used.)
-Marcus Watts
UM ITD RS Umich Systems Group
