[DGD] Kernel Questions

Felix A. Croes felix at dworkin.nl
Tue Jan 22 05:40:03 CET 2002 

Neil McBride <neil at castinian.org> wrote:

> I'm trying to understand some of the logic in the kernel library at the 
> moment and I'm a little stuck on part of the login process.
>
> In testing the grant/ungrant command to see how it all works, I carried 
> out the following: -
>
> As admin user: grant bob access
>                 ungrant bob access
>
> Bob had never logged in before, so I would have expected this to give 
> bob access and then immediately remove it again.  However, when I went 
> to log in as bob, it asked me for a password twice to set it, logged bob 
> in and cloned him a wiztool.  Even if bob had logged in before, I would 
> expect his access to be removed.

That's a bug.


> I thought this was a bit odd so I played with it a bit further.  I found 
> that although bob didn't have any access as per the access daemon, he 
> was still able to read all the world readable files (expected), but 
> could also write to his home directory (/usr/bob), and most suprisingly 
> was able to delete directories from /usr if they were empty, even 
> /usr/admin.

That is <definitely> a bug.


> I dug further again to find out what determined whether or not a user 
> was given a wiztool.  The user object's login function bases this on 
> whether or not the resource daemon has the user listed as a resource 
> owner (query_owners).  If the user is a resource owner, then they are 
> given a wiztool and then a password.  This I don't like as I removed the 
> user's access via the ungrant command.
>
>  From all this, I have two questions - I'm still working out how the 
> kernel object all hangs together so they may or may not be obvious ;)
>
> First, why doest he user object check for resource owners to grant the 
> wiztool access?  Shouldn't it be based on the file access or a mixture 
> of the two?

It should check access.

Thanks for reporting this -- I'll fix it for the next release.

Regards,
Dworkin
_________________________________________________________________
List config page:  http://list.imaginary.com/mailman/listinfo/dgd

More information about the DGD mailing list