A fully privileged AFS system administrator has the following characteristics:
Membership in the cell's system:administrators group. See Administering the system:administrators Group.
ADMIN flag on his or her entry in the cell's Authentication Database. See Granting Privilege for kas Commands: the ADMIN Flag.
Inclusion in the file /usr/afs/etc/UserList on the local disk of each AFS server machine in the cell. See Administering the UserList File.
This section describes the three privileges and explains why more than one privilege is necessary.
Never grant any administrative privilege to the user anonymous, even when a server outage makes it impossible to mutually authenticate. If you grant such privilege, then any user who can access a machine in your cell can issue privileged commands. The alternative solution is to put the affected server machine into no-authentication mode and use the -noauth flag available on many commands to prevent mutual authentication attempts. For further discussion, see Managing Authentication and Authorization Requirements.
Often, a cell's administrators require full administrative privileges to perform their jobs effectively. However, separating the three types of privilege makes it possible to grant only the minimum set of privileges that a given administrator needs to complete his or her work.
The system:administrators group privilege is perhaps the most basic, and most frequently used during normal operation (when all the servers are running normally). When the Protection Database is unavailable due to machine or server outage, it is not possible to issue commands that require this type of privilege.
ADMIN flag privilege is separate because of the extreme sensitivity of the
information in the Authentication Database, especially the server encryption key in the afs
entry. When the Authentication Database is unavailable due to machine or server outage, it is not possible to issue commands
that require this type of privilege.
The ability to issue privileged bos and vos command is recorded in the /usr/afs/etc/UserList file on the local disk of each AFS server machine rather than in a database, so that in case of serious server or network problems administrators can still log onto server machines and use those commands while solving the problem.