Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root

Subject: Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root
From: Aaron Gowatch (aarong@wired.com)
Date: Thu Nov 13 1997 - 19:10:35 EST

• Next message: Stefan Bethke: "Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root"
• Previous message: Mark Donnelly: "Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root"
• In reply to: Eugene Cohen: "Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root"
• Next in thread: Eugene Cohen: "Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root"
• Reply: Aaron Gowatch: "Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 13 Nov 1997, Eugene Cohen wrote:

> What I'm thinking of is the situation where a user, not an administrator,
> would like to mount the server on his Mac with the priviledges that his
> account on the server has.

This already happens with Netatalk, which is why the afpd child runs as
the user that has logged in.

> I'm envisioning an authentication scheme where the [AFP] logged in user
> keeps the UID of afpd. Under this scheme, a single (non-root) user
> could start the specially-configured afpd running on a high port number,
> and log in and access the server with the priviledges that their account
> on the server already has. In other words, the authentcation mechansim
> would not change the UID, but rather allow a single account (that of the
> user running afpd) access to the server.

The parent afpd, which runs as root, forks a child process which runs as
the user that is logging in. This child process has the same privileges
as that of a user logged into their shell account.

How will you get your Appletalk client to use this arbitrary port that you
start afpd on? This requires more than a modification to the Netatalk
sources, namely the source for the Appletalk client. The issues
surrounding running multiple processes that try to use the same port are
obvious...

But honestly, this is a rather silly idea. Its a lot like saying "I dont
want named running as root on my system, so everytime I need to lookup a
name, I'll have the TCP stack rsh to my configured DNS host, startup
named, I'll perform my query, have the TCP stack rsh my DNS host again and
shutdown named. I'll do this everytime I want to perform a DNS lookup,
and it will be better".

Even if you *could* get it to work, the overhead saved is so minimal, its
not even worth the effort to try to make it work, not to mention how slow
it would be. For instance, if 10 users we're logged into your Netatalk
box, there would be ~11 afpd processes. With the "rsh n' start"
mechanism, there would be 10, only the process which runs as root would be
missing.

Aa.

• Next message: Stefan Bethke: "Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root"
• Previous message: Mark Donnelly: "Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root"
• In reply to: Eugene Cohen: "Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root"
• Next in thread: Eugene Cohen: "Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root"
• Reply: Aaron Gowatch: "Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b28 : Sat Dec 18 1999 - 16:28:04 EST