[1000] in arla-drinkers
Re: PAM and arla
daemon@ATHENA.MIT.EDU (Charles Karney)
Wed Jul 21 14:38:16 1999
From owner-arla-drinkers@stacken.kth.se Wed Jul 21 18:38:15 1999
Return-Path: <owner-arla-drinkers@stacken.kth.se>
Delivered-To: arla-drinkers-mtg@bloom-picayune.mit.edu
Received: (qmail 10354 invoked from network); 21 Jul 1999 18:38:14 -0000
Received: from unknown (HELO sundance.stacken.kth.se) (130.237.234.41)
by bloom-picayune.mit.edu with SMTP; 21 Jul 1999 18:38:14 -0000
Received: (from majordom@localhost)
by sundance.stacken.kth.se (8.8.8/8.8.8) id UAA15367
for arla-drinkers-list; Wed, 21 Jul 1999 20:33:30 +0200 (MET DST)
Received: from pppl.gov (root@mailserver.pppl.gov [192.55.106.129])
by sundance.stacken.kth.se (8.8.8/8.8.8) with ESMTP id UAA15363
for <arla-drinkers@stacken.kth.se>; Wed, 21 Jul 1999 20:33:18 +0200 (MET DST)
Received: from cucaracha.pppl.gov (IDENT:karney@cucaracha.pppl.gov [198.35.4.90])
by pppl.gov (8.9.2/8.9.2) with ESMTP id OAA16485;
Wed, 21 Jul 1999 14:32:58 -0400 (EDT)
Received: (from karney@localhost)
by cucaracha.pppl.gov (8.9.2/8.9.2) id OAA16771;
Wed, 21 Jul 1999 14:32:57 -0400 (EDT)
From: Charles Karney <karney@pppl.gov>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <14230.4697.586643.637790@cucaracha.pppl.gov>
Date: Wed, 21 Jul 1999 14:32:57 -0400 (EDT)
To: Tim Yardley <yardley@ncsa.uiuc.edu>
Cc: Tobias Schaefer <T.Schaefer@science-computing.de>,
Assar Westerlund <assar@sics.se>, arla-drinkers@stacken.kth.se,
kth-krb-bugs@nada.kth.se, root-cucaracha@pppl.gov, ssh-afs@umich.edu
Subject: Re: PAM and arla
In-Reply-To: <Pine.SOL.3.95.990720152400.12489A-100000@pecos.ncsa.uiuc.edu>
References: <Pine.SOL.4.02.9907201745480.16331-100000@pollux.science-computing.de>
<Pine.SOL.3.95.990720152400.12489A-100000@pecos.ncsa.uiuc.edu>
X-Mailer: VM 6.67 under Emacs 19.34.1
Reply-To: karney@princeton.edu
Sender: owner-arla-drinkers@stacken.kth.se
Precedence: bulk
> From: Tim Yardley <yardley@ncsa.uiuc.edu>
> To: Tobias Schaefer <T.Schaefer@science-computing.de>
> cc: Assar Westerlund <assar@sics.se>, arla-drinkers@stacken.kth.se,
> kth-krb-bugs@nada.kth.se
> Subject: Re: PAM and arla
> Date: Tue, 20 Jul 1999 15:45:24 -0500 (CDT)
>
> On Tue, 20 Jul 1999, Tobias Schaefer wrote:
> : But I _do_ think that even root's token should be protected by a PAG. If
> : this is not possible, every daemon on the system works with this token.
> : This is unnecessary at best.
>
> I don't remember the exact reasoning, but if I recall correctly...
> Transarc decided that root should not get a pag shell. This was decided
> for some security reason, however... I do not recall exactly what it was.
I think this (not automaticlly giving root a PAG) is the RIGHT behavior.
Here's why:
At one time our users started complaining that their AFS tokens were
disappearing and being replaced by the tokens of different users.
The problem turned out to be our using ssh with the Dug Song's
ssh-afs-kerberos patch. I had logged in as root using ssh. This had
provided me a PAG (but no AFS tokens). I had then restarted XDM, which
also inherited the same PAG. Thereafter, everyone who logged in via XDM
shared the same PAG and so anytime someone did a klog he changed the tokens
for all the XDM users.
Result: confusion and a possibly serious security breach.
Two other things were needed to make this happen: no separate PAG creation
during XDM logins (nowadays we use PAM to do this) and no use of pagsh by
users.
Nevertheless, I think it's very important that, by default, root should NOT
have a PAG. Otherwise, any system work he does is likely to inherit the
PAG causing all sorts of anomalies.
I requested this feature from Tobias for with Linux AFS PAM module (which
he kindly provided), and I've made a patch to the ssh-afs-kerberos patch to
do the same thing. I'll provide this if anyone wants. Basically it does
thinks like
- if (k_hasafs()) {
+ if (pw->pw_uid != UID_ROOT && k_hasafs()) {
k_setpag();
k_unlog();
}
On the occasions when root needs an AFS token we require our system admins
to do an explicit pagsh. (And, of course, it's very dangerous if they
neglect to do the pagsh. For example, the ftp daemon running as UID 0
might share the AFS token.)
--
Charles Karney
Plasma Physics Laboratory E-mail: Karney@Princeton.EDU
Princeton University Phone: +1 609 243 2607
Princeton, NJ 08543-0451 FAX: +1 609 243 3438