Andrew Deason's blog

Restricting AFS ACLs

Item Type: 

If you’ve ever administrated a sufficiently large and public AFS cell, you have probably at least once had a user assign rlidwka rights to system:anyuser on a directory. This can be a real security headache, particularly when web-accessible data is pulled directly from AFS. The only way currently to make sure that doesn’t happen is to revoke users’ admin rights, but then you lose the convenience and flexibility of users maintaining permissions themselves.Arguably, this problem can be solved by user education and performing audits of ACL rights, but that isn’t always enough.

Subscribe to RSS - Andrew Deason's blog