Jeffrey Altman <[email protected]> writes: > I suspect that the above is a security issue. It means that user 1 can > be assigned pts id "foo" and if "foo" is deleted (but not foo's groups) > when user 1 leaves the company, then when user 2 comes along and is > assigned the unused "foo", s/he will inherit all of the groups that > belonged to user 1.
> I suspect the proper behavior should at some point become that deletion > of pts id "foo" should remove all of the groups as well. Ugh, no, please don't. Instead, I'd much rather see us break the (IMO broken) behavior that forces namespace on groups based on who owns them. We have a perfectly usable owner field that already says who owns the group. > By intentionally creating groups that are owned by no valid pts id, you > increase the chance that such an id would be used for another purpose. He's creating groups owned by PTS ID 0. I suspect that's safe. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
