[988] in arla-drinkers

home help back first fref pref prev next nref lref last post

Re: PAM and arla

daemon@ATHENA.MIT.EDU (Tobias Schaefer)
Tue Jul 20 12:11:23 1999

From owner-arla-drinkers@stacken.kth.se Tue Jul 20 16:11:22 1999
Return-Path: <owner-arla-drinkers@stacken.kth.se>
Delivered-To: arla-drinkers-mtg@bloom-picayune.mit.edu
Received: (qmail 25164 invoked from network); 20 Jul 1999 16:11:21 -0000
Received: from unknown (HELO sundance.stacken.kth.se) (130.237.234.41)
  by bloom-picayune.mit.edu with SMTP; 20 Jul 1999 16:11:21 -0000
Received: (from majordom@localhost)
	by sundance.stacken.kth.se (8.8.8/8.8.8) id SAA10277
	for arla-drinkers-list; Tue, 20 Jul 1999 18:03:39 +0200 (MET DST)
Received: from orion.science-computing.de (root@orion.science-computing.de [193.197.16.2])
	by sundance.stacken.kth.se (8.8.8/8.8.8) with ESMTP id SAA10272
	for <arla-drinkers@stacken.kth.se>; Tue, 20 Jul 1999 18:03:34 +0200 (MET DST)
Received: from pollux.science-computing.de (pollux.science-computing.de [193.197.16.39])
	by orion.science-computing.de (8.8.8/8.8.8) with SMTP id RAA29877;
	Tue, 20 Jul 1999 17:58:44 +0200
Received: from localhost by pollux.science-computing.de (SMI-8.6/SMI-SVR4)
	id SAA16673; Tue, 20 Jul 1999 18:03:19 +0200
Date: Tue, 20 Jul 1999 18:03:19 +0200 (MET DST)
From: Tobias Schaefer <T.Schaefer@science-computing.de>
To: Tim Yardley <yardley@ncsa.uiuc.edu>
cc: Assar Westerlund <assar@sics.se>, arla-drinkers@stacken.kth.se,
        kth-krb-bugs@nada.kth.se
Subject: Re: PAM and arla
In-Reply-To: <Pine.SOL.3.95.990719162055.1057B-100000@pecos.ncsa.uiuc.edu>
Message-ID: <Pine.SOL.4.02.9907201745480.16331-100000@pollux.science-computing.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-arla-drinkers@stacken.kth.se
Precedence: bulk

On Mon, 19 Jul 1999, Tim Yardley wrote:

> On Mon, 19 Jul 1999, Tobias Schaefer wrote:
> : The administrator of that machine even tried to get a PAG with the
> : pagsh-Program of Linux-AFS. (That is Derek Atkins' port of AFS 3.4 to
> : Linux 2.0.) No luck with that either. The token is always bound to the
> : user's UID.
> 
> I dont recall the initial thread but I have seen something similiar to
> this while working on with kerberos/afs pam authentication modules. 
> Although, it is somewhat of a different light.  Under Solaris 2.7 the pag 
> shells don't seem to be getting assigned properly under dtlogin.  This
> could bebecause dtlogin runs as root, and root is not supposed to get a
> pag shell (if I remember correctly).  But anyway, this causes a problem if
> the permissions are not dropped prior to obtaining an afs token for
> instance, because then root is assigned the afs token.. not the user.

That is exactly what is happening.

But I _do_ think that even root's token should be protected by a PAG. If
this is not possible, every daemon on the system works with this token.
This is unnecessary at best.

I'm quite sure this did work with dtlogin for SOLARIS 2.5 / 2.6. (No
expierience with 2.7 though.)


Tobias
-- 

  Tobias Schaefer				Phone	07071-9457-0
  science + computing gmbh			FAX	07071-9457-27
  Hagellocher Weg 71                          
  D-72070 Tuebingen     Email: T.Schaefer@science-computing.de
        WWW:  http://www.science-computing.de/


home help back first fref pref prev next nref lref last post