> Second, there is a security concern that Rick Cochran has pointed out
> here before. If you happen to login to the ftp server as root, do a klog,
> and leave a token owned by root laying around, all anonymous ftp users
> will have access to that token until it expires (or you unlog it)!
>
>There is a simple way to deal with that: get a Process Authentication Group
>by running pagsh then klog. That way the AFS token is only associated
>with processes with that PAG _not_ with UNIX UID 0.
>
>Alternatively, install AFS aware login which will automatically get
>you the PAG on login.
>See also: http://www.transarc.com/Product/AFS/FAQ/faq.html#sub2.06
All good advise. My point was merely that this is a concern to be aware
of. People who use root on server machines should be fully aware of the
potential consequences of their actions.
Installing a properly modified ftpd is another good choice.
BTW, regarding the use of AFS login, it doesn't appear to me that a PAG
is created if you login as root, which in many cells doesn't have an
associated AFS ID. Using su from your regular account that already has
a PAG creates the root shell as a member of the PAG.
-Mitch
