[DGD] Kernel Questions

Neil McBride neil at castinian.org
Tue Jan 22 03:37:22 CET 2002 

Hi all,

I'm trying to understand some of the logic in the kernel library at the 
moment and I'm a little stuck on part of the login process.

In testing the grant/ungrant command to see how it all works, I carried 
out the following: -

As admin user: grant bob access
                ungrant bob access

Bob had never logged in before, so I would have expected this to give 
bob access and then immediately remove it again.  However, when I went 
to log in as bob, it asked me for a password twice to set it, logged bob 
in and cloned him a wiztool.  Even if bob had logged in before, I would 
expect his access to be removed.

I thought this was a bit odd so I played with it a bit further.  I found 
that although bob didn't have any access as per the access daemon, he 
was still able to read all the world readable files (expected), but 
could also write to his home directory (/usr/bob), and most suprisingly 
was able to delete directories from /usr if they were empty, even 
/usr/admin.

I dug further again to find out what determined whether or not a user 
was given a wiztool.  The user object's login function bases this on 
whether or not the resource daemon has the user listed as a resource 
owner (query_owners).  If the user is a resource owner, then they are 
given a wiztool and then a password.  This I don't like as I removed the 
user's access via the ungrant command.

 From all this, I have two questions - I'm still working out how the 
kernel object all hangs together so they may or may not be obvious ;)

First, why doest he user object check for resource owners to grant the 
wiztool access?  Shouldn't it be based on the file access or a mixture 
of the two?

My second question is about the file access that the bob user was given 
- I'm assuming he wasn't supposed to be able to write to his home dir, 
or delete other empty home directories.  If this is not the case, then I 
guess it's working fine and I don't understand the logic here - could 
someone explain if that is that case?  I suspect this is a minor bug 
though - could be wrong ;)

Any thoughts and insights would be appreciated ;)

Thanks,

Neil.

_________________________________________________________________
List config page:  http://list.imaginary.com/mailman/listinfo/dgd

More information about the DGD mailing list