On Mon, 18 Feb 2002, Jan Harkes wrote:

> The only way we could block non-root users from seeing the cache is by
> encrypting the tokenfile with the user's password and some additional
> randomness provided by venus. Then if we pass up the token and the
> password, venus can decide if it is a unchanged token and whether it
> trusts the userid. The servers can still be used to check the validity.

Hello Jan,

I feel there might be a problem - venus does not see a user password with
kerbers authentication.

Wouldn't it be possible in disconnected mode
to just check against the uid of the process, while ignoring the groups or
better mapping coda groups to the local ones as long as there are suitable
ones? Well, say as an per-client option?

In many situations that would be sufficient (I want to work with my
Coda files, and use public software from Coda), while more secure
than the current situation you describe...

Otherwise it is in fact unacceptable to run Coda on multiuser machines,
it is too easy to switch to disconnected mode and then access others'
files...

Regards,
--
Ivan