John Hascall <[EMAIL PROTECTED]> writes:
> If -localauth's power was confined to that
> machine, I think we'd be happy (if they zorch their file
> server, cie la vie). But since they could zorch more we
> are fearful of this.
Anyone with root access to a fileserver has access to information
which allows them to create afs tokens for any user. Thus, they can
zorch any fileserver in the cell. -localauth just makes this fact
plainly obvious, so people aren't (self-)deluded into thinking they
can safely do departmental fileservers.
If you want to do departmental fileservers safely, you have to get a
Kerberos/AFS expert to do the necessary security work.
--
_.John G. Myers Internet: [EMAIL PROTECTED]
LoseNet: ...!seismo!ihnp4!wiscvm.wisc.edu!give!up
