Subject: Re: [netatalk-admins] Feature Suggestion: AFP/TCP running as user, not root
From: a sun (asun@zoology.washington.edu)
Date: Fri Nov 14 1997 - 14:08:25 EST
I didn't think it was a silly idea. I don't want to run the daemon to
server all the users of the system, I just want to bring it up OCCASIONALLY
when I want to mount the server on *my* Mac with *my* account's permissions
and nothing more. I am a user of the system, and do not have root access,
but the sysadmins don't have the time or knowhow to install netatalk, and
they would not mind if I ran it myself (if it was possible - this is what
we're dicussing) occasionally. It isn't fair to compare what I am
proposing to be used with named. That's not the purpose of what I'm
saying. I don't want to save CPU necessarily, I just want non-root users
to be able to run it. You dig?
well, if people are really that interested in doing such a thing, it's
fairly trivial to do. contrary to popular belief, the appletalk stuff
should work almost without change. you're not using anything reserved
there. the afp/tcp stuff needs to use a different port as the reserved
port is root accessible only.
so, *IF* you really want to do this and thereby open your account to
who knows what, here's what you need to do:
1) edit auth.c and comment out the setgid/setuid calls.
2) realize that this will cause everything to be accessed as
you. i.e., if you don't want someone else to use their
password to access your stuff, you're going to have to edit
auth.c again and make sure you actually check that the
requesting password corresponds to the uid of the afpd
process.
3) run with a different port, lock file, and AppleVolumes.*
files.
4) caveat emptor
once again, this matter is *completely* separate from afp/tcp
vs. afp/ddp.
-a
This archive was generated by hypermail 2b28 : Sat Dec 18 1999 - 16:28:07 EST