Hi,
> We need to create a data management type of program that enables
> movement of UNIX files to different AFS directories (e.g.,
> experimental, production, etc.). This needs to be a program
> because we don't want users to be able to just login and
> move files around at will. In order to accomplish this task
> we need to perform a setuid or similar function to give the
> program privileges that the user does not have.
> Is this possible within an AFS directory environment? How are
> other people accomplishing this? Are there examples of programs
> that provide this function?
We have addressed this problem here at IBM Research in the following manner.
First, we developed something called sysctl, which is an authenticated
client/server system for executing remote commands.
Next, we built tools on top of sysctl for accomplishing tasks such as
the one you mention above. The way this works is that the user runs a
script/program on the client machine, which talks to a trusted server,
which in turn run the privileged command(s). The server checks an
authorization list after decoding the user's kerberos ticket.
The sysctl work is being presented at the LISA conference this week. For
a copy of a paper describing sysctl or more information please send mail to:
[EMAIL PROTECTED]
Details of the authentication and authorization can be found in the paper.
Cheers,
=====================================================================
Michael S. Fagan IBM Research
[[EMAIL PROTECTED]] Project Agora
