346 lines
11 KiB
Plaintext
346 lines
11 KiB
Plaintext
-------[ Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 13 of 19 ]
|
|
|
|
|
|
-------------------------[ Black Book of AFS ]
|
|
|
|
|
|
--------[ nicnoc ]
|
|
|
|
|
|
----[ Introduction
|
|
|
|
AFS is commonly deployed as a distributed filesystem solution in academic and
|
|
research environments. This short article serves as an introductory guide to
|
|
publicly-accessible resources on AFS. As always, misuse of this information
|
|
by the reader is taken at his or her own peril.
|
|
|
|
The current incarnation of AFS grew out of research conducted with the Andrew
|
|
FileSystem at Carnegie-Mellon University, also home of the CODA distributed fs
|
|
research (http://www.coda.cs.cmu.edu/). AFS is now a commercial product,
|
|
supported and sold by the Transarc Corporation (www.transarc.com).
|
|
|
|
|
|
----[ Conventions
|
|
|
|
Resources on AFS listed in this document will take the form of '/afs/cell
|
|
name'. As you will discover, certain hosts are only accessible from a gateway
|
|
immediately associated with the cell. For example, the node net.mit.edu
|
|
can only be reached from the outside (ie. using methods other than a local
|
|
fs mount) through the web.mit.edu AFS gateway. Where appropriate, these
|
|
access restrictions are noted.
|
|
|
|
|
|
----[ Basics
|
|
|
|
Terminology
|
|
-----------
|
|
cell : Multiple hosts within the same domain sharing a single fs image.
|
|
- local cell : Describes a cell within the local domain.
|
|
- foreign cell : All cells not within the local domain.
|
|
- cell name : Usually a derivation of the FQDN.
|
|
node : Generic term for any host on the network.
|
|
ACL : Access Control List - who gets what, and how.
|
|
|
|
Technical
|
|
---------
|
|
Access permissions of files and directories on an AFS cell are handled
|
|
independently of the underlying operating system permissions. Traditional
|
|
Unix fs permission bits are divided into read, write, and execute. The AFS
|
|
ACL groupings build on this concept and add extensions suitable for
|
|
distributed file-sharing.
|
|
|
|
Below is a basic introduction to concepts and commands used to manage AFS; by
|
|
no means a complete treatment of the subject. See tutorials at
|
|
http://www.alw.nih.gov/Docs/AFS/AFS_toc.html and
|
|
http://www.slac.stanford.edu/comp/unix/afs/users-guide/afs-frames.htm for
|
|
more information.
|
|
|
|
ACL bits
|
|
--------
|
|
r : read : view directory and file contents
|
|
l : lookup : searching of a directory for filenames (recursive find)
|
|
i : insert : create a new directory or file
|
|
d : delete : remove a file or subdirectory
|
|
w : write : modification of file contents
|
|
k : lock : owner's processes allowed to flock() in this dir
|
|
a : administer : user permitted to modify ACL for this resource
|
|
|
|
Commands for ACL listing and modification
|
|
-----------------------------------------
|
|
fs: listacl <filename> (alias: la) : list access control list
|
|
setacl <directory> <username> <permissions> (alias: sa)
|
|
.... set access control list
|
|
|
|
ex. setacl secret.doc jsbach lidrw
|
|
|
|
pts:
|
|
Invoked as 'pts option' on the command-line. Manages protection
|
|
groups, which permit a smaller group of users to access resources
|
|
owned by another user.
|
|
options:
|
|
adduser -user user1 user2... -group <owner>:<group name>
|
|
.... adds user(s) to an existing protection group
|
|
removeuser -user user1 user2... -group <owner>:<group name>
|
|
.... removes user(s) from a protection group
|
|
creategroup <owner>:<group name>
|
|
.... create a protection group
|
|
examine <path>
|
|
.... volume name of specified resource at <path>
|
|
membership -name <user> (alternatively <group name>:<owner>)
|
|
.... list protection group membership for user
|
|
|
|
Protocol information
|
|
--------------------
|
|
AFS is implemented over wide-area TCP/IP networks, optionally
|
|
authenticating users with a modified Kerberos implementation. Client nodes
|
|
utilize a cache manager, which stores frequently-accessed data on a local
|
|
disk for faster retrieval.
|
|
|
|
Taken from an unknown cell's /etc/service, the ports and
|
|
protocols that make AFS work its magic:
|
|
|
|
afs3-fileserver 7000/udp # file server itself
|
|
afs3-callback 7001/udp # callbacks to cache managers
|
|
afs3-prserver 7002/udp # users & groups database
|
|
afs3-vlserver 7003/udp # volume location database
|
|
afs3-kaserver 7004/udp # AFS/Kerberos authentication service
|
|
afs3-volser 7005/udp # volume management server
|
|
afs3-errors 7006/udp # error interpretation service
|
|
afs3-bos 7007/udp # basic overseer process
|
|
afs3-update 7008/udp # server-to-server updater
|
|
afs3-rmtsys 7009/udp # remote cache manager service
|
|
|
|
Gateways
|
|
========
|
|
Legitimate access to AFS is quite easy to obtain. Any alumnus of
|
|
an institution where AFS is widely deployed (MIT, CMU, Stanford, etc.)
|
|
usually has an account on a connected node. Additionally, it is not
|
|
uncommon for admins to grant research accounts on university systems
|
|
to friends outside.
|
|
For those without friends and we, the unwashed masses, there are
|
|
gateways which allow access to AFS through other services. In the early
|
|
1990's, these were commonly found on institution FTP and Gopher sites.
|
|
Today, most gateways provide proxied access to AFS through the web.
|
|
Transarc provides the WebSecure product which is the most commonly used
|
|
gateway software.
|
|
AFS->web gateway discovery is a matter of blind luck, although
|
|
with the assistance of a search engine, it is possible to select possible
|
|
candidates.
|
|
|
|
Two commonly-used gateways are:
|
|
web.mit.edu
|
|
www.transarc.com
|
|
|
|
The MIT gateway is more controlled than the Transarc's.
|
|
Of the 74 active cells discovered, MIT permits only 12:
|
|
andrew.cmu.edu athena.mit.edu
|
|
cmu.edu cs.cmu.edu
|
|
ece.cmu.edu iastate.edu
|
|
ir.stanford.edu net.mit.edu
|
|
northstar.dartmouth.edu sipb.mit.edu
|
|
transarc.com umich.edu
|
|
|
|
Some cells local to mit.edu are accessible through the gateway with aliases,
|
|
namely: athena, dev, net, and sipb. These aliases and restricted-access
|
|
nodes are not enumerated.
|
|
|
|
Directory
|
|
=========
|
|
This listing comes from an audit of active nodes accessible
|
|
through the transarc.com AFS->web gateway. From a dataset of 511 entries,
|
|
74 were found to be active. The unofficial AFS FAQ (section 1.07)
|
|
(/afs/transarc.com/public/afs-contrib/doc/faq/afs-faq.html)
|
|
assisted with identification of certain cells.
|
|
Data were collected from a recent CellservDB
|
|
(/afs/transarc.com/service/etc/CellServDB.export) and the output of
|
|
'ls /afs' on an AFS node. A simple script linking lynx, grep,
|
|
sort and awk produced the below listing. All listed nodes were verified
|
|
to be accessible from an external network on 07.22.1999.
|
|
|
|
## Corporate (COM)
|
|
|
|
|
# Transarc Corporation
|
|
transarc.com
|
|
|
|
## Education (EDU)
|
|
|
|
|
# Arizona State University
|
|
asu.edu
|
|
# Boston University
|
|
bu.edu
|
|
# Carnegie-Mellon University
|
|
cmu.edu
|
|
andrew.cmu.edu
|
|
ce.cmu.edu
|
|
! cs.cmu.edu # Top-level directory not browsable
|
|
ece.cmu.edu
|
|
me.cmu.edu
|
|
# Cornell University
|
|
graphics.cornell.edu
|
|
msc.cornell.edu
|
|
theory.cornell.edu
|
|
# Dartmouth College
|
|
northstar.dartmouth.edu
|
|
# Indiana State University
|
|
iastate.edu
|
|
# Indiana University
|
|
ovpit.indiana.edu
|
|
# Massachusetts Institute of Technology
|
|
athena.mit.edu
|
|
sipb.mit.edu
|
|
# North Carolina Agricultural and Technical State University
|
|
ncat.edu
|
|
# North Carolina State University
|
|
eos.ncsu.edu
|
|
unity.ncsu.edu
|
|
# Notre Dame
|
|
nd.edu
|
|
# Pennsylvania State University
|
|
psu.edu
|
|
# Pittsburgh Supercomputing Center
|
|
psc.edu
|
|
# Rose-Hulman Institute of Technology
|
|
rose-hulman.edu
|
|
# Stanford University
|
|
ir.stanford.edu
|
|
slac.stanford.edu
|
|
# University of California at Davis
|
|
ece.ucdavis.edu
|
|
# University of Chicago
|
|
spc.uchicago.edu
|
|
# University of Illinois at Chicago (NCSA)
|
|
ncsa.uiuc.edu
|
|
# University of Maryland at Baltimore
|
|
umbc.edu
|
|
# University of Maryland
|
|
wam.umd.edu
|
|
# University of Michigan
|
|
umich.edu
|
|
citi.umich.edu
|
|
engin.umich.edu
|
|
lsa.umich.edu
|
|
math.lsa.umich.edu
|
|
dmsv.med.umich.edu
|
|
sph.umich.edu
|
|
# University of Pittsburgh
|
|
pitt.edu
|
|
# University of Utah
|
|
utah.edu
|
|
cs.utah.edu
|
|
# University of Washington
|
|
cs.washington.edu
|
|
# University of Wisconsin
|
|
cs.wisc.edu
|
|
|
|
## Government (GOV)
|
|
|
|
|
# Argonne National Labs
|
|
anl.gov
|
|
# Fermi National Accelerator Lab
|
|
fnal.gov
|
|
# National Energy Research Supercomputer Center
|
|
nersc.gov
|
|
# National Institutes of Health
|
|
alw.nih.gov
|
|
# Princeton Plasma Physics Laboratory
|
|
pppl.gov
|
|
|
|
## Military (MIL)
|
|
|
|
|
# Naval Research Laboratory
|
|
cmf.nrl.navy.mil
|
|
|
|
## Network
|
|
|
|
|
# Energy Sciences Network
|
|
es.net
|
|
|
|
## Organization (ORG)
|
|
|
|
|
# Esprit Research Network of Excellence (European Communities)
|
|
research.ec.org
|
|
# Open Software Foundation
|
|
ri.osf.org
|
|
|
|
## Europe and Asia
|
|
|
|
|
# European Laboratory for Particle Physics, Geneva
|
|
cern.ch
|
|
#Deutsches Elektronen-Synchrotron
|
|
desy.de
|
|
#Univ. of Cologne Inst. for Geophysics & Meteorology
|
|
geo.uni-koeln.de
|
|
# DESY-IfH Zeuthen
|
|
ifh.de
|
|
# Leibniz-Rechenzentrum Muenchen
|
|
lrz-muenchen.de
|
|
# Max-Planck-Institut fuer Astrophysik
|
|
mpa-garching.mpg.de
|
|
# TH-Darmstadt
|
|
hrzone.th-darmstadt.de
|
|
# Technische Universitaet Chemnitz-Zwickau
|
|
tu-chemnitz.de
|
|
# Albert-Ludwigs-Universitat Freiburg
|
|
uni-freiburg.de
|
|
# University of Hohenheim
|
|
uni-hohenheim.de
|
|
# Rechenzentrum University of Kaiserslautern
|
|
rhrk.uni-kl.de
|
|
# University of Cologne
|
|
rrz.uni-koeln.de
|
|
# University of Stuttgart
|
|
ihf.uni-stuttgart.de
|
|
mathematik-cip.uni-stuttgart.de
|
|
mathematik.uni-stuttgart.de
|
|
rus.uni-stuttgart.de
|
|
# IN2P3 production cell
|
|
in2p3.fr
|
|
# CASPUR Inter-University Computing Consortium
|
|
caspur.it
|
|
# INFN Sezione di Pisa
|
|
pi.infn.it
|
|
# Real World Computer Partnership
|
|
rwcp.or.jp
|
|
# Chalmers University of Technology - General users
|
|
others.chalmers.se
|
|
# Royal Institute of Technology, NADA
|
|
nada.kth.se
|
|
|
|
Interesting areas
|
|
=================
|
|
Half of the challenge in network exploration is the act of
|
|
finding fun items to look at. The list below is by no means complete,
|
|
and barely touches the surface of what the author and others have
|
|
collected over the years. Enjoy, and good luck hunting.
|
|
|
|
/afs/andrew.cmu.edu/local/src/os/
|
|
.... Left over from a time when Irix source resided there.
|
|
/afs/ncat.edu/common/
|
|
.... Root directory of an Ultrix installation
|
|
/afs/ir.stanford.edu/users/c/l/clinton
|
|
.... Not the daughter of the U.S. President, but a reasonable
|
|
facsimile thereof which causes much excitement among readers.
|
|
/afs/rose-hulman.edu/users/manager/agnello/compromised/
|
|
.... AFS follows the 'user-managed' philosophy of resource
|
|
management, leaving it up to individual users to secure the
|
|
permissions on their own files. This unfortunate admin
|
|
forgot to set the permissions on data collected during a
|
|
recent (08.08.1999) security compromise. The world,
|
|
including the intruder, can now browse his work and see
|
|
what they have found.
|
|
/afs/umbc.edu/public/cores/
|
|
.... Corefiles from fileserver crashes at the University of
|
|
Maryland. No further comment.
|
|
/afs/net.mit.edu/reference/multics/
|
|
.... Once in a blue moon, you come along a gem like this one.
|
|
Source code, project notes, and electronic messages from
|
|
the Multics project. ./udd/multics/Rochlis contains the
|
|
mail, messages, and notes in case you can't find it.
|
|
|
|
Greetings
|
|
=========
|
|
Shouts and thanks go out to route and the r00t crew, ParMaster,
|
|
cstone, aleph1, and the Slackworks crew.
|
|
|
|
-- nicnoc
|