Re: [OpenAFS] Re: foreign-realm members of system:administrators have weakened powers?

Fri, 27 Jan 2006 12:16:19 -0800 



On Thursday, January 26, 2006 10:00:42 PM -0800 Adam Megacz 
<[EMAIL PROTECTED]> wrote:




Jeffrey Hutzelman <[EMAIL PROTECTED]> writes:

using my "main" principal -- I executed these commands while holding
tokens for [EMAIL PROTECTED] in cell research.cs.berkeley.edu:
  $ pts creategroup project.sbp system:administrators -cell
research.cs.berkeley.edu   pts: Permission denied ; unable to create
group project.sbp with id 0 owned by 'system:administrators'



Since you've shown that [EMAIL PROTECTED] is clearly a member of s:a,
my first guess is that for some reason your request was not really
authenticated as [EMAIL PROTECTED]  I suggest looking at the logs;
there should be a log message corresponding to the attempt which will
tell you the parameters used and who the ptserver actually thought you
were.


No; I think you're just not running with enough debugging.
The interesting message happens at LogLevel >= 25.


[EMAIL PROTECTED]:~$kinit [EMAIL PROTECTED]
Please enter the password for [EMAIL PROTECTED]:
[EMAIL PROTECTED]:~$aklog -c research.cs.berkeley.edu
[EMAIL PROTECTED]:~$pts creategroup project.test system:administrators -cell
research.cs.berkeley.edu pts: Permission denied ; unable to create group
project.test with id 0 owned by 'system:administrators'

Fri Jan 27 05:58:36 2006 Set Debug On level = 25

[...]

Fri Jan 27 05:59:10 2006 PTS_NewEntry: code 267269 cid -204 aid
-1212129404 aname project.test oid -204



Congratulations; you have found a bug.  There is code in the ptserver which 
allows cross-realm users to create their own PTS entries, under certain 
circumstances.  Such entries are always recorded with creator 
system:administrators, which is the only time a _group_ appears as the 
creator of an entry (except perhaps for certain entries created during 
database creation).  An unintended side-effect of this code is that users 
from foreign realms cannot be treated as administrators for the purpose of 
creating PTS entries.



I have a fix in mind for this; if you forward this message to 
[EMAIL PROTECTED] and CC me, I will try to get you a patch shortly.


-- Jeff
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info























					Reply via email to