linux-nfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Roman Shtylman <shtylman@athenacr.com>
To: linux-nfs@vger.kernel.org
Subject: question about nfs4 with krb5 behavior
Date: Mon, 10 Jan 2011 14:55:30 -0500	[thread overview]
Message-ID: <201101101455.30608.shtylman@athenacr.com> (raw)

I have setup nfs4 with krb5 server and successfully mounted a client. Two 
people can log into the client box and both access their respective shares and 
not each other's. However, when one user (who lets say has root privs) uses 
root to become the second user (using su) then that user can now access the 
info of the user he became.

I was under the impression that this should not be possible as the tickets for 
access should still be tied to the first user they logged in as. Is this true? 
Or do I have an error in my setup?

Process:
Login as user A
(User B logs into the machine from another terminal)
sudo su B (to become user B on the machine)
<can now edit files which belong to B>

If User B does not login before user A becomes user B, user A is not able to 
edit user B's files even after he becomes user B.

Kernel version: 2.6.32-24

any clarification on behavior would be appreciated.

cheers,
~Roman

             reply	other threads:[~2011-01-10 20:03 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-01-10 19:55 Roman Shtylman [this message]
2011-01-10 20:35 ` question about nfs4 with krb5 behavior Jeff Layton
2011-01-10 20:45   ` Roman Shtylman
2011-01-10 20:54     ` Kevin Coffman
2011-01-10 20:56     ` Trond Myklebust
2011-01-11  0:38     ` Daniel.Muntz
2011-01-10 20:48 ` Kevin Coffman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=201101101455.30608.shtylman@athenacr.com \
    --to=shtylman@athenacr.com \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).