[1001] in arla-drinkers

home help back first fref pref prev next nref lref last post

Re: PAM and arla

daemon@ATHENA.MIT.EDU (Christopher Allen Wing)
Wed Jul 21 15:31:10 1999

From owner-arla-drinkers@stacken.kth.se Wed Jul 21 19:31:09 1999
Return-Path: <owner-arla-drinkers@stacken.kth.se>
Delivered-To: arla-drinkers-mtg@bloom-picayune.mit.edu
Received: (qmail 10842 invoked from network); 21 Jul 1999 19:31:08 -0000
Received: from unknown (HELO sundance.stacken.kth.se) (130.237.234.41)
  by bloom-picayune.mit.edu with SMTP; 21 Jul 1999 19:31:08 -0000
Received: (from majordom@localhost)
	by sundance.stacken.kth.se (8.8.8/8.8.8) id VAA16625
	for arla-drinkers-list; Wed, 21 Jul 1999 21:26:30 +0200 (MET DST)
Received: from agogo.engin.umich.edu (root@agogo.engin.umich.edu [141.212.32.118])
	by sundance.stacken.kth.se (8.8.8/8.8.8) with ESMTP id VAA16576
	for <arla-drinkers@stacken.kth.se>; Wed, 21 Jul 1999 21:26:09 +0200 (MET DST)
Received: from localhost (wingc@localhost [127.0.0.1])
	by agogo.engin.umich.edu (8.9.1a/8.9.1) with SMTP id PAA16289;
	Wed, 21 Jul 1999 15:26:02 -0400 (EDT)
Date: Wed, 21 Jul 1999 15:26:01 -0400 (EDT)
From: Christopher Allen Wing <wingc@engin.umich.edu>
To: karney@princeton.edu
cc: arla-drinkers@stacken.kth.se
Subject: Re: PAM and arla
In-Reply-To: <14230.4697.586643.637790@cucaracha.pppl.gov>
Message-ID: <Pine.HPX.4.02.9907211515390.16146-100000@agogo.engin.umich.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-arla-drinkers@stacken.kth.se
Precedence: bulk

Charles:

> At one time our users started complaining that their AFS tokens were
> disappearing and being replaced by the tokens of different users.
> 
> The problem turned out to be our using ssh with the Dug Song's
> ssh-afs-kerberos patch.  I had logged in as root using ssh.  This had
> provided me a PAG (but no AFS tokens).  I had then restarted XDM, which
> also inherited the same PAG.  Thereafter, everyone who logged in via XDM
> shared the same PAG and so anytime someone did a klog he changed the tokens
> for all the XDM users.
> 
> Result: confusion and a possibly serious security breach.
> 
> Two other things were needed to make this happen: no separate PAG creation
> during XDM logins (nowadays we use PAM to do this) and no use of pagsh by
> users.

Right. This is why you should always use setpag() before you open up a
user's login session.

> Nevertheless, I think it's very important that, by default, root should NOT
> have a PAG.   Otherwise, any system work he does is likely to inherit the
> PAG causing all sorts of anomalies.

Yep, actually with the setgroups() wrapper for Arla this problem can still
occur. The setgroups() wrapper makes sure that the current PAG will always
persist, unless the user decides to explicitly do a setpag.

So, if you have a PAG and su to root, the root shell will indeed inherit
your tokens. For this reason I always make sure to log in as root and not
su if I am going to start up a daemon.

The best way to fix this problem in Arla is to make Arla use the UID in
addition to the first 2 supplimentary groups to determine the PAG.

At present, if the 2 magic groups are present, Arla uses them alone to
figure out which PAG the current process is in; otherwise it uses the UID.
I would suggest changing the logic so that the UID is used along with the
PAG number derived from the magic groups to find out the current PAG; i.e.
uid=4000, groups=33536 33521 is a different PAG than uid=0, groups=33536
33521.

-Chris Wing
wingc@engin.umich.edu


home help back first fref pref prev next nref lref last post