(Illustration by Gaich Muramatsu)
Hello, a background: I have noticed somewhere in Coda code a special case for uid 0's credentials (venus invalidating acls on cached objects, something like that?). I am a bit concerned about uid 0 being able to access /coda as an authenticated user (thus protected from server spoofing), without extra side effects. I wish the following would work (and hope it does) : 1. a cron job once in a while creating root kerberos credentials by a keytab, host/<host> being a good principal candidate as such keytab and entry should exist anyway :) 2. the same cron job refreshing/replacing uid 0's coda token via [k]clog 3. then the cronjob may even destroy the kerberos credentials * [1] and [3] may be omitted for a non-kerberized venus. ** it is so convenient to not have a PAG. PAG does not add much for the security ("uid trust" is hardly avoidable in UNIX) but places additional limitations, like starting crond after initial authentication... *** well, PAG would help to allow cron jobs to alter user files on Coda if the user explicitely grants host/<host> the right to do that... The same for mail delivery and other "problematic aspects" of networked filesystems. Best regards, and the usual thanks for Coda! -- IvanReceived on 2002-09-24 11:09:05