>>>>> "Tom" == Tom Orban <[EMAIL PROTECTED]> writes:
Tom> My suggestions would be to:
Tom> 1) separate out the privileges for bos and vos. I would like to be able
Tom> to give permission to someone to release volumes. I don't want to
Tom> implicitly give them root on my servers because of this though.
There are several tools, CMU's adm or IBM Research's Sysctl which can delegate
authorities with more granularity, than stock AFS.
Tom> 2) Have transarc either provide an extra bosserver that *doesn't* have
Tom> a -exec option for those of us who think bos -exec is too big of a hole,
Tom> or maybe just add a -noexec option to the bosserver so those sites who
Tom> don't want -exec can start the bosserver without it.
Plugging bos -exec isn't going to fix much. Someone could easily
trojan horse something to the other machines using upserver/upclient
or bos install!! You're going to have to remove a couple more
options, too! (Also, what would stop someone from taking the AFS
libraries and building a new executable to get the desired behavior?)
I personally would rather physically secure my machines and leave things
alone.
What would have been nice is that each server had a unique Kerberos 4
principal. (Like most normal Kerberos setups). This way only one machine
would be compromised. Things seem to be getting better with DFS, BTW.
