PAM and arla

Chris Wing wingc at engin.umich.edu
Thu Jul 22 01:02:33 CEST 1999


Derrick:

> Again, you're making it hard for people who are using this behavior (which,
> intended or not, AFS has) to change PAGs, and I really wish you wouldn't. Now
> that Linux has an in-kernel nfsd it won't matter, but I had also intended to
> use this to allow a user-level nfsd to do the equivalent of Transarc knfs:
> basically allow remote clients to have a PAG.

Okay, I've heard all the arguments, and I guess I'll retract that
suggestion about identifying PAGs via UID :) The real issue as I see it is
that it amounted to protecting root from him/herself, which is not a good
way to set up a Unix system.

(The users here like to be able to su and retain their tokens as well)

The case of an NFS sever exporting AFS would be simpler if root can change
PAGs, but it could also be done (although with additional overhead) by
storing tokens in a data structure in the NFS server and loading them as
necessary into a single PAG per NFS server process.

Are there any other applications which truly require root to switch PAGs
and are in common use? (garbage collection of PAGs can be done via the fs
command in Arla, for instance)

My thinking is that the setgroups() restriction adds a resonable amount of
security for the majority of systems, and is good to have as the default.

Thanks,

Chris Wing
wingc at engin.umich.edu






More information about the Arla-drinkers mailing list