From 7b00c17b49fe6a54f99f3c23bfc307a4b10d88e2 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 24 Mar 2011 12:56:56 -0700 Subject: [PATCH] Correctly document the AFS client setuid defaults AFS no longer honors setuid status by default. Update the admin guide documentation appropriately and add a warning recommending against enabling setuid status given the limitations of the current AFS protocol. Reformat this section of the admin guide to make it easier to maintain. Change-Id: I6ea5859037d7d194df801f1a76583257cfc8bbe8 Reviewed-on: http://gerrit.openafs.org/4311 Reviewed-by: Jeffrey Altman Reviewed-by: Derrick Brashear Tested-by: Derrick Brashear --- doc/xml/AdminGuide/auagd015.xml | 97 +++++++++++++++++++++++++---------------- 1 file changed, 59 insertions(+), 38 deletions(-) diff --git a/doc/xml/AdminGuide/auagd015.xml b/doc/xml/AdminGuide/auagd015.xml index 885bd53..73086cd 100644 --- a/doc/xml/AdminGuide/auagd015.xml +++ b/doc/xml/AdminGuide/auagd015.xml @@ -2199,44 +2199,65 @@ setuid programs - A setuid program is one whose binary file has the UNIX setuid mode bit turned on. While a setuid - program runs, the user who initialized it assumes the local identity (UNIX UID) of the binary file's owner, and so is granted - the permissions in the local file system that pertain to the owner. Most commonly, the issuer's assumed identity (often referred - to as effective UID) is the local superuser root. - - AFS does not recognize effective UID: if a setuid program accesses AFS files and directories, it uses the current AFS - identity of the user who initialized the program, not of the program's owner. Nevertheless, it can be useful to store setuid - programs in AFS for use on more than one client machine. AFS enables a client machine's administrator to determine whether the - local Cache Manager allows setuid programs to run or not. - - By default, the Cache Manager allows programs from its home cell to run with setuid permission, but denies setuid - permission to programs from foreign cells. A program belongs to the same cell as the file server machine that houses the volume - in which the file resides, as specified in the file server machine's /usr/afs/etc/ThisCell - file. The Cache Manager determines its own home cell by reading the /usr/vice/etc/ThisCell file - at initialization. - - To change a cell's setuid status with respect to the local machine, become the local superuser root and issue the fs setcell command. To determine a cell's current - setuid status, use the fs getcellstatus command. - - When you issue the fs setcell command, you directly alter a cell's setuid status as - recorded in kernel memory, so rebooting the machine is not necessary. However, nondefault settings do not persist across reboots - of the machine unless you add the appropriate fs setcell command to the machine's AFS - initialization file. - - Only members of the system:administrators group can turn on the setuid mode bit on an AFS - file or directory. When the setuid mode bit is turned on, the UNIX ls -l command displays the - third user mode bit as an s instead of an x, but for an AFS - file or directory, the s appears only if setuid permission is enabled for the cell in which the - file resides. - fs commands - - getcellstatus - - commands - - fs getcellstatus - + A setuid program is one whose binary file + has the UNIX setuid mode bit turned on. While a setuid program runs, + the user who initialized it assumes the local identity (UNIX UID) of + the binary file's owner, and so is granted the permissions in the + local file system that pertain to the owner. Most commonly, the + issuer's assumed identity (often referred to as effective + UID) is the local superuser root. + + AFS does not recognize effective UID: if a setuid program + accesses AFS files and directories, it uses the current AFS identity + of the user who initialized the program, not of the program's + owner. Nevertheless, it can be useful to store setuid programs in AFS + for use on more than one client machine. AFS enables a client + machine's administrator to determine and change whether the local + Cache Manager allows setuid programs to run or not. + + By default, the Cache Manager ignores all setuid permissions in + AFS, but this can be changed by a client machine's administrator. Each + cell's setuid status is set independently of other cells. To change a + cell's setuid status with respect to the local machine, become the + local superuser root and issue the + fs setcell command. To determine a + cell's current setuid status, use the fs + getcellstatus command. + + + Enabling support for the UNIX setuid bit for AFS programs is + not secure with the current AFS protocol. Enabling this capability + is not recommended except in very restricted environments on trusted + networks. + + + When you issue the fs setcell + command, you directly alter a cell's setuid status as recorded in + kernel memory, so rebooting the machine is not necessary. However, + nondefault settings do not persist across reboots of the machine + unless you add the appropriate fs + setcell command to the machine's AFS initialization + file. + + Only members of the system:administrators group can turn on the + setuid mode bit on an AFS file or directory. When the setuid mode bit + is turned on, the UNIX ls -l command + displays the third user mode bit as an s instead of an x, but for an AFS file or directory, the + s appears only if setuid permission + is enabled for the cell in which the file resides. + + fs commands + getcellstatus + + + commands + fs getcellstatus + + To determine a cell's setuid status -- 1.9.4