1 <?xml version="1.0" encoding="UTF-8"?>
4 <refentrytitle>pagsh</refentrytitle>
5 <manvolnum>1</manvolnum>
8 <refname>pagsh</refname>
9 <refpurpose>Creates a new PAG</refpurpose>
12 <title>Synopsis</title>
13 <para><emphasis role="bold">pagsh</emphasis></para>
17 <title>Description</title>
18 <para>The <emphasis role="bold">pagsh</emphasis> command creates a new command shell (owned by the issuer of
19 the command) and associates a new <emphasis>process authentication group</emphasis> (PAG)
20 with the shell and the user. A PAG is a number guaranteed to identify the
21 issuer of commands in the new shell uniquely to the local Cache
22 Manager. The PAG is used, instead of the issuer's UNIX UID, to identify
23 the issuer in the credential structure that the Cache Manager creates to
24 track each user.</para>
26 <para>Any tokens acquired subsequently (presumably for other cells) become
27 associated with the PAG, rather than with the user's UNIX UID. This
28 method for distinguishing users has two advantages.</para>
32 <para>It means that processes spawned by the user inherit the PAG and so share
33 the token; thus they gain access to AFS as the authenticated user. In
34 many environments, for example, printer and other daemons run under
35 identities (such as the local superuser <computeroutput>root</computeroutput>) that the AFS server
36 processes recognize only as <computeroutput>anonymous</computeroutput>. Unless PAGs are used, such
37 daemons cannot access files in directories whose access control lists
38 (ACLs) do not extend permissions to the system:anyuser group.</para>
42 <para>It closes a potential security loophole: UNIX allows anyone already logged
43 in as the local superuser <computeroutput>root</computeroutput> on a machine to assume any other
44 identity by issuing the UNIX <emphasis role="bold">su</emphasis> command. If the credential structure is
45 identified by a UNIX UID rather than a PAG, then the local superuser
46 <computeroutput>root</computeroutput> can assume a UNIX UID and use any tokens associated with that
47 UID. Use of a PAG as an identifier eliminates that possibility.</para>
53 <title>Cautions</title>
54 <para>Each PAG created uses two of the memory slots that the kernel uses to
55 record the UNIX groups associated with a user. If none of these slots are
56 available, the <emphasis role="bold">pagsh</emphasis> command fails. This is not a problem with most
57 operating systems, which make at least 16 slots available per user.</para>
59 <para>In cells that do not use an AFS-modified login utility, use this command
60 to obtain a PAG before issuing the <emphasis role="bold">klog</emphasis> command (or include the
61 <emphasis role="bold">-setpag</emphasis> argument to the <emphasis role="bold">klog</emphasis> command). If a PAG is not acquired, the
62 Cache Manager stores the token in a credential structure identified by
63 local UID rather than PAG. This creates the potential security exposure
64 described in <link linkend="DESCRIPTION">DESCRIPTION</link>.</para>
66 <para>If users of NFS client machines for which AFS is supported are to issue
67 this command as part of authenticating with AFS, do not use the <emphasis role="bold">fs
68 exportafs</emphasis> command's <emphasis role="bold">-uidcheck on</emphasis> argument to enable UID checking on
69 NFS/AFS Translator machines. Enabling UID checking prevents this command
70 from succeeding. See <link linkend="klog1">klog(1)</link>.</para>
72 <para>If UID checking is not enabled on Translator machines, then by default it
73 is possible to issue this command on a properly configured NFS client
74 machine that is accessing AFS via the NFS/AFS Translator, assuming that
75 the NFS client machine is a supported system type. The <emphasis role="bold">pagsh</emphasis> binary
76 accessed by the NFS client must be owned by, and grant setuid privilege
77 to, the local superuser <computeroutput>root</computeroutput>. The complete set of mode bits must be
78 <computeroutput>-rwsr-xr-x</computeroutput>. This is not a requirement when the command is issued on AFS
79 client machines.</para>
81 <para>However, if the translator machine's administrator has enabled UID
82 checking by including the <emphasis role="bold">-uidcheck on</emphasis> argument to the <emphasis role="bold">fs exportafs</emphasis>
83 command, the command fails with an error message similar to the following:</para>
86 Warning: Remote setpag to &lt;translator_machine&gt; has failed (err=8). . .
87 setpag: Exec format error
92 <title>Examples</title>
93 <para>In the following example, the issuer invokes the C shell instead of the
94 default Bourne shell:</para>
102 <title>Privilege Required</title>
107 <title>See Also</title>
108 <para><link linkend="fs_exportafs1">fs_exportafs(1)</link>,
109 <link linkend="klog1">klog(1)</link>,
110 <link linkend="tokens1">tokens(1)</link></para>
114 <title>Copyright</title>
115 <para>IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.</para>
117 <para>This documentation is covered by the IBM Public License Version 1.0. It was
118 converted from HTML to POD by software written by Chas Williams and Russ
119 Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.</para>