>
>For example, if you are root on a fileserver (or in our cell on
>any machine),
I still don't under stand this. How is this possible unless you either
a) have the keyfile on all machines (which seems to be misconfigured then)
b) people leave tokens around or don't use PAG based tokens
>One person from Transarc wrote to me suggesting that instead of all
>this, I should lock up all file servers so that noone has access
>to them. I think this completely misses the point.
I don't think this misses the point at all. This is just good
administration, especially considering these machines' special role.
>modified my machines so that noone can log in as root on any terminal;
>the root password in /etc/passwd is '*'. I have modified the system
>so that no machine can boot up in single user mode without having
>a password.
Good administration ideas too, although if those machines are suns, I
wouldn't put too much faith in the ability to keep people from booting
single user :-)
My suggestions would be to:
1) separate out the privileges for bos and vos. I would like to be able
to give permission to someone to release volumes. I don't want to
implicitly give them root on my servers because of this though.
2) Have transarc either provide an extra bosserver that *doesn't* have
a -exec option for those of us who think bos -exec is too big of a hole,
or maybe just add a -noexec option to the bosserver so those sites who
don't want -exec can start the bosserver without it.
-Tom
