On Friday, August 12, 2005 08:10:04 PM -0500 Troy Benjegerdes <[EMAIL PROTECTED]> wrote:
In my AFS as root filesystem testing, I ran into another snag.. I want to add a regular user to a group, and have them be able to do things like install software on a node image, but I don't want to have them be in the 'system:administrators' group.. What code makes members of the 'system:administrators' group special so they can create files owned by uid/gid 0, but not regular users? Is there a reasonable way to modify this, maybe on a per-volume basis?
Membership in the system:administrators group confers superuser privileges with respect to the AFS filesystem. Members of this group can do things like manipulate ACL's on directories where they don't have admin access, and can also do a variety of things that are not permitted for ordinary users. Among these are the ability to change the ownership of files and to set the setuid and setgid bits on files.
The code that enforces this restriction lives in a variety of places within the fileserver. Most of the work is done in src/viced/afsfileprocs.c, in Check_PermissionRights() and Update_TargetVnodeStatus().
Any change to these restrictions is likely to have significant security implications, and should be reviewed carefully before being accepted or deployed.
-- Jeff _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
