On Wednesday, May 24, 2006 10:59:30 AM -0500 Sidney Cammeresi
<[EMAIL PROTECTED]> wrote:
My user is a member of system:ptsviewers but not system:administrators.
I read from the 1.2.5 release notes (I am not running that version, of
course) that
A new system group is created for new cells (system:ptsviewers
with id -203). If this group exists, members of this group can
examine and read the entire protection database. They can examine
all users and groups and can get the membership of any group.
So I added myself to system:ptsviewers and can view everything,
but pts listentries fails, saying permission denied. And indeed,
the documentation for pts listentries says it requires membership in
system:administrators.
Shouldn't it also be okay with membership in system:ptsviewers or is there
a reason why `can read the entire prdb' shouldn't extend to enumerating
its contents?
pts listentries works by making multiple calls to the ptserver, each of
which retrieves several entries at once. The call it uses is a relatively
low-level interface which works by scanning the PRDB looking for entries
representing users and groups. The scan starts at a database block number
given by the caller, and continues until 500 entries have been found or the
end of the database is reached. This interface, like all calls which
operate directly on the PRDB at the database block layer, is restricted to
administrators for security reasons.
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
