-----BEGIN PGP SIGNED MESSAGE-----
> Andrea mentioned that AFS is very similar to CODA, and the CODA
> solution is
> to use rename() as I was planning on doing. Peter had cautioned
> that rename
> will overwrite existing files whereas hard links will not lose
> any existing
> files. Archived discussion threads indicate that renaming is still
> relatively safe because the email file name is composed of the
> current date/time, PID and host name and it is unlikely that the
> PID would recycle within 1 second.
I think rename() is safe. Even link() is of course better, the event
that two nodes of the cluster are writing a mail with same
data,pid,hostname (???) is obviously very very rare (impossible?).
> The extended explanation of the problem is that AFS implements
> its own ACL,
> so that even the Unix root user may have no access to a users ~home
> directory; the holds true also that a user who has managed to log
> in to the
> Linux/Unix box may have no access to his own ~home directory.
Like Coda.
> Access to AFS
> files are granted by tokens issued by the AFS/Kerberos
> authentication server.
Like Coda, but Coda doesn't use kerberos.
> So during mail delivery, qmail-lspawn will setuid to become the
> email receipient, except that in most cases, this user will not
> have a valid
> token.
I don't know well AFS, but with Coda / Vpopmail is trivial. It's
sufficient to get a token for vpopmail and root users.
When qmail starts, it launch 2 scripts to get root and vpopmail
tokens. Then, crontab perform authentication for root / vpopmail
every 4 hours (security reasons, tokens are valid for much longer).
I really didn't need to patch qmail-local.
> In conjunction with all of the above, I will need a cron job to
> periodically
> refresh qmaill's AFS/Kerberos token so that qmaill will always
> have a valid
> token in order to make use of the ACL privileges that have been
> given to qmaill.
>
Yep. But I don't see the needs for patching qmail-local.c (except for
rename()).
- ---
Cordiali saluti / Best regards
Andrea Cerrito
^^^^^^^^^^^^^^
Net.Admin @ Centro MultiMediale di Terni S.p.A.
P.zzale Bosco 3A
05100 Terni IT
Tel. +39 0744 5441330
Fax. +39 0744 5441372
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQEVAwUBO3K16vo9HK4+yTI3AQF0IQgAmgnnlQABR9szQN2KQHrxOLaSo92xxs8u
4vIkfmYT7eZrEIlYoRBazBa+8TfDyUqORNxatydzIBqiHBQcEf7AxBT8BhegNu9n
QN8UNhCOEJNRHf/DvluInZm2I6+MRxity2o6psKfkWliFFaP6Lu6G8bw41J0qKul
sVUkm5XtBzC5cfkiDzqAHmr+J8yv5CJiOAYuOueQ+yY2KJd0qlvMEmewBYr0rDsK
kCuGEqrcxc0khtu8Wt1mdqHGhLN2yoMafhw2CUCggxiqrB5xLuoydNdAM/i/YuA1
76REBt/7LckUAH2Lb0Ej8TD0UC5w1G7MoQ1m1QEwY3ONfgdAsZ/L/Q==
=wble
-----END PGP SIGNATURE-----
