PAM and arla
Tobias Schaefer
T.Schaefer at science-computing.de
Tue Jul 20 18:03:39 CEST 1999
On Mon, 19 Jul 1999, Tim Yardley wrote:
> On Mon, 19 Jul 1999, Tobias Schaefer wrote:
> : The administrator of that machine even tried to get a PAG with the
> : pagsh-Program of Linux-AFS. (That is Derek Atkins' port of AFS 3.4 to
> : Linux 2.0.) No luck with that either. The token is always bound to the
> : user's UID.
>
> I dont recall the initial thread but I have seen something similiar to
> this while working on with kerberos/afs pam authentication modules.
> Although, it is somewhat of a different light. Under Solaris 2.7 the pag
> shells don't seem to be getting assigned properly under dtlogin. This
> could bebecause dtlogin runs as root, and root is not supposed to get a
> pag shell (if I remember correctly). But anyway, this causes a problem if
> the permissions are not dropped prior to obtaining an afs token for
> instance, because then root is assigned the afs token.. not the user.
That is exactly what is happening.
But I _do_ think that even root's token should be protected by a PAG. If
this is not possible, every daemon on the system works with this token.
This is unnecessary at best.
I'm quite sure this did work with dtlogin for SOLARIS 2.5 / 2.6. (No
expierience with 2.7 though.)
Tobias
--
Tobias Schaefer Phone 07071-9457-0
science + computing gmbh FAX 07071-9457-27
Hagellocher Weg 71
D-72070 Tuebingen Email: T.Schaefer at science-computing.de
WWW: http://www.science-computing.de/
More information about the Arla-drinkers
mailing list