[2199] in Kerberos_V5_Development
aklog, PAGs, and other fun stuff
daemon@ATHENA.MIT.EDU (Kenneth A Hornstein)
Tue Feb 4 20:38:49 1997
To: krbdev@MIT.EDU
Date: Tue, 04 Feb 1997 20:38:22 -0500
From: Kenneth A Hornstein <kenh@cmf.nrl.navy.mil>
There are a number of subtle issues w.r.t PAGs and running of aklog that
I've encountered today. I was wondering if anyone else had some thoughts
on this:
- If you're running an AFS/NFS translator, setpag needs to be called _as root_
but _after_ initgroups (or else you need to hack on initgroups to save
the PAG groups). Otherwise the "fake" setpag can't modify the group list,
or the call to initgroups wipes out your PAG.
- If you don't allocate a PAG _and_ you're using a translator, aklog needs to
run with the real userid of the user (ie - seteuid won't cut it) because
otherwise aklog will end up storing the token for root (boy, that was fun
to debug :-) ).
So, it seems that login really needs to be restructured a bit to support this.
What do other people think?
--Ken
