headers
nepywoda | 28 Jul 2003 20:25
Favicon

AFS and changing local UIDs

I have Kerberos and Arla setup on OS 10.2 and I was wondering if it's truly *necessary* 
to change your local UID to your remote "afs" UID. I have setup AFS/Arla on a few 
machines and it's been working without changing the local UID to match the remote 
one. What exactly is the problem that makes it "suggested" to change UIDs? Is it a 
security issue or is it just an issue with the Finder's interaction with AFS?

Thanks,
Paul Nepywoda
Permalink | Reply | 4 comments |
headers
Neulinger, Nathan | 28 Jul 2003 20:46
Picon

RE: AFS and changing local UIDs

Display of file ownership in directory listings won't match... other
than that, doesn't really matter on unix platforms. (OS X may have some
other constraint, but not that I am aware of.)

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul <at> umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
UMR Information Technology             Fax: (573) 341-4216

> -----Original Message-----
> From: nepywoda <at> fnal.gov [mailto:nepywoda <at> fnal.gov] 
> Sent: Monday, July 28, 2003 1:26 PM
> To: arla-drinkers <at> stacken.kth.se
> Subject: AFS and changing local UIDs
> 
> 
> I have Kerberos and Arla setup on OS 10.2 and I was wondering 
> if it's truly *necessary* 
> to change your local UID to your remote "afs" UID. I have 
> setup AFS/Arla on a few 
> machines and it's been working without changing the local UID 
> to match the remote 
> one. What exactly is the problem that makes it "suggested" to 
> change UIDs? Is it a 
> security issue or is it just an issue with the Finder's 
> interaction with AFS?
> 
> Thanks,
(Continue reading)

Permalink | Reply | 0 comments |
headers
Harald Barth | 29 Jul 2003 12:18
Picon
Picon
Favicon

Re: AFS and changing local UIDs


> What exactly is the problem that makes it "suggested" to change UIDs? Is it a 
> security issue or is it just an issue with the Finder's interaction with AFS?

Finder tries to be smart and uses the result of uid+permission bits
instead of access(2) to figure out if it should display stuff. If you
have a mismatch the finder's guess is wrong most of the time, if you
have a match it is right most of the time. It would be better if the
folks who did the finder would do the right thing instead trying to 
save time for one syscall.

Others that can be confused by a mismatch are users. I don't think
there are any security issues - AFS does not use the uid for any
security related checks.

Harald.
Permalink | Reply | 3 comments |
headers
Paul Nepywoda | 29 Jul 2003 15:56
Favicon

Re: AFS and changing local UIDs

Basically I'm wondering if taking time to both change the UID AND chown 
every file is worth the time (and it can sometimes take a long time). 
It seems like Finder will eventually figure out that it can write to 
AFS space, but would it figure this out faster if the UIDs matched?

Also, by not using a unix standard like access() are they really 
cutting any corners?

Thanks for the quick reply.
~~~Paul Nepywoda

On Tuesday, July 29, 2003, at 05:18 AM, Harald Barth wrote:

>
>> What exactly is the problem that makes it "suggested" to change UIDs? 
>> Is it a
>> security issue or is it just an issue with the Finder's interaction 
>> with AFS?
>
> Finder tries to be smart and uses the result of uid+permission bits
> instead of access(2) to figure out if it should display stuff. If you
> have a mismatch the finder's guess is wrong most of the time, if you
> have a match it is right most of the time. It would be better if the
> folks who did the finder would do the right thing instead trying to
> save time for one syscall.
>
> Others that can be confused by a mismatch are users. I don't think
> there are any security issues - AFS does not use the uid for any
> security related checks.
>
(Continue reading)

Permalink | Reply | 1 comment |
headers
Andrew de los Reyes | 29 Jul 2003 22:51
Picon

Patch to use arla on newer linux kernels?

Hi,

I am having a problem with arla 0.35.12 on linux kernel 2.4.20.  When
I cd into /afs and issue 'ls', I get a "stale NFS file handle" error.

One message[1] in the threads entitled "Stale NFS file handle"[2]
mentions patching either the kernel or arla to solve this (or a
similar) problem.  I would like to know if anyone has released such a
patch for arla.

I would also like to know if 2.4.18 is officially the latest supported
kernel version for arla.

Many thanks, and keep up the great work,
-andrew

[1]
http://www.stacken.kth.se/lists/arla-drinkers/2003-01/msg00006.html

[2]
http://www.stacken.kth.se/lists/arla-drinkers/2003-01/msg00005.html
http://www.stacken.kth.se/lists/arla-drinkers/2002-09/msg00004.html
Permalink | Reply | 0 comments |
headers
Harald Barth | 31 Jul 2003 00:44
Picon
Picon
Favicon

Re: AFS and changing local UIDs


> Basically I'm wondering if taking time to both change the UID AND chown 
> every file is worth the time (and it can sometimes take a long time). 

As usual: This depends on what is the bigger pain in your particular
situation.

> It seems like Finder will eventually figure out that it can write to 
> AFS space, but would it figure this out faster if the UIDs matched?

I don't know enough about the Finder to answer this one.

> Also, by not using a unix standard like access() are they really 
> cutting any corners?

If you make assumptions when dealing with your own file system code that
would be OK, but not using access() on other's file systems (like AFS
or NFS) is inviting trouble.

Harald.
Permalink | Reply | 0 comments |

Gmane