Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root

Subject: Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root
From: Eugene Cohen (eugene@cegt201.bradley.edu)
Date: Thu Nov 13 1997 - 12:50:51 EST

• Next message: Mark Donnelly: "Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root"
• Previous message: Stefan Bethke: "Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root"
• In reply to: Stefan Bethke: "Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root"
• Next in thread: Mark Donnelly: "Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root"
• Reply: Eugene Cohen: "Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

What I'm thinking of is the situation where a user, not an administrator,
would like to mount the server on his Mac with the priviledges that his
account on the server has. I'm envisioning an authentication scheme where
the [AFP] logged in user keeps the UID of afpd. Under this scheme, a
single (non-root) user could start the specially-configured afpd running on
a high port number, and log in and access the server with the priviledges
that their account on the server already has. In other words, the
authentcation mechansim would not change the UID, but rather allow a single
account (that of the user running afpd) access to the server.

What I would like to do is to write a simple program on my Mac that would
send an rsh command to a server to start afpd, log in and mount the volume,
and later send another rsh command to stop afpd once I have logged out.
(The sysadmins usually don't like us to keep daemon processes running all
the time). I think this could be valuable to users out there. See what
I'm getting at? Would this be too difficult to implement?

-Eugene

>>It should be possible now, if afpd is able run only supporting TCP/IP
>>connections, to have the daemon run as something other than root. The only
>>change that would need to be made would be support for perhaps a custom
>>passwd file since many systems now support shadow authentication and only
>>the root account can read the shadow file. Is the addition of the ability
>>to run as a non-root user feasible given the source base?
>
>Probably not: for the child apfd to become the effective (logged-in) user,
>the master afpd must have appropiate privileges, and that usually means uid
>0.
>
>What is your objection against running the master afpd as root, besides the
>usual wisdom of running as few as possible processes as root?

• Next message: Mark Donnelly: "Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root"
• Previous message: Stefan Bethke: "Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root"
• In reply to: Stefan Bethke: "Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root"
• Next in thread: Mark Donnelly: "Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root"
• Reply: Eugene Cohen: "Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b28 : Sat Dec 18 1999 - 16:28:03 EST