[988] in arla-drinkers
Re: PAM and arla
daemon@ATHENA.MIT.EDU (Tobias Schaefer)
Tue Jul 20 12:11:23 1999
From owner-arla-drinkers@stacken.kth.se Tue Jul 20 16:11:22 1999
Return-Path: <owner-arla-drinkers@stacken.kth.se>
Delivered-To: arla-drinkers-mtg@bloom-picayune.mit.edu
Received: (qmail 25164 invoked from network); 20 Jul 1999 16:11:21 -0000
Received: from unknown (HELO sundance.stacken.kth.se) (130.237.234.41)
by bloom-picayune.mit.edu with SMTP; 20 Jul 1999 16:11:21 -0000
Received: (from majordom@localhost)
by sundance.stacken.kth.se (8.8.8/8.8.8) id SAA10277
for arla-drinkers-list; Tue, 20 Jul 1999 18:03:39 +0200 (MET DST)
Received: from orion.science-computing.de (root@orion.science-computing.de [193.197.16.2])
by sundance.stacken.kth.se (8.8.8/8.8.8) with ESMTP id SAA10272
for <arla-drinkers@stacken.kth.se>; Tue, 20 Jul 1999 18:03:34 +0200 (MET DST)
Received: from pollux.science-computing.de (pollux.science-computing.de [193.197.16.39])
by orion.science-computing.de (8.8.8/8.8.8) with SMTP id RAA29877;
Tue, 20 Jul 1999 17:58:44 +0200
Received: from localhost by pollux.science-computing.de (SMI-8.6/SMI-SVR4)
id SAA16673; Tue, 20 Jul 1999 18:03:19 +0200
Date: Tue, 20 Jul 1999 18:03:19 +0200 (MET DST)
From: Tobias Schaefer <T.Schaefer@science-computing.de>
To: Tim Yardley <yardley@ncsa.uiuc.edu>
cc: Assar Westerlund <assar@sics.se>, arla-drinkers@stacken.kth.se,
kth-krb-bugs@nada.kth.se
Subject: Re: PAM and arla
In-Reply-To: <Pine.SOL.3.95.990719162055.1057B-100000@pecos.ncsa.uiuc.edu>
Message-ID: <Pine.SOL.4.02.9907201745480.16331-100000@pollux.science-computing.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-arla-drinkers@stacken.kth.se
Precedence: bulk
On Mon, 19 Jul 1999, Tim Yardley wrote:
> On Mon, 19 Jul 1999, Tobias Schaefer wrote:
> : The administrator of that machine even tried to get a PAG with the
> : pagsh-Program of Linux-AFS. (That is Derek Atkins' port of AFS 3.4 to
> : Linux 2.0.) No luck with that either. The token is always bound to the
> : user's UID.
>
> I dont recall the initial thread but I have seen something similiar to
> this while working on with kerberos/afs pam authentication modules.
> Although, it is somewhat of a different light. Under Solaris 2.7 the pag
> shells don't seem to be getting assigned properly under dtlogin. This
> could bebecause dtlogin runs as root, and root is not supposed to get a
> pag shell (if I remember correctly). But anyway, this causes a problem if
> the permissions are not dropped prior to obtaining an afs token for
> instance, because then root is assigned the afs token.. not the user.
That is exactly what is happening.
But I _do_ think that even root's token should be protected by a PAG. If
this is not possible, every daemon on the system works with this token.
This is unnecessary at best.
I'm quite sure this did work with dtlogin for SOLARIS 2.5 / 2.6. (No
expierience with 2.7 though.)
Tobias
--
Tobias Schaefer Phone 07071-9457-0
science + computing gmbh FAX 07071-9457-27
Hagellocher Weg 71
D-72070 Tuebingen Email: T.Schaefer@science-computing.de
WWW: http://www.science-computing.de/