3 pagsh - Creates a new PAG
11 The pagsh command creates a new command shell (owned by the
12 issuer of the command) and associates a new I<process authentication
13 group> (PAG) with the shell and the user. A PAG is a number
14 guaranteed to identify the issuer of commands in the new shell uniquely to the
15 local Cache Manager. The PAG is used, instead of the issuer's UNIX
16 UID, to identify the issuer in the credential structure that the Cache Manager
17 creates to track each user.
19 Any tokens acquired subsequently (presumably for other cells) become
20 associated with the PAG, rather than with the user's UNIX UID.
21 This method for distinguishing users has two advantages.
27 It means that processes spawned by the user inherit the PAG and so share
28 the token; thus they gain access to AFS as the authenticated user.
29 In many environments, for example, printer and other daemons run under
30 identities (such as the local superuser B<root>) that the AFS server
31 processes recognize only as B<anonymous>. Unless PAGs are used,
32 such daemons cannot access files in directories whose access control lists
33 (ACLs) do not extend permissions to the B<system:anyuser>
39 It closes a potential security loophole: UNIX allows anyone already
40 logged in as the local superuser B<root> on a machine to assume any
41 other identity by issuing the UNIX B<su> command. If the
42 credential structure is identified by a UNIX UID rather than a PAG, then the
43 local superuser B<root> can assume a UNIX UID and use any tokens
44 associated with that UID. Use of a PAG as an identifier eliminates that
52 Each PAG created uses two of the memory slots that the kernel uses to
53 record the UNIX groups associated with a user. If none of these slots
54 are available, the B<pagsh> command fails. This is not a
55 problem with most operating systems, which make at least 16 slots available
58 In cells that do not use an AFS-modified login utility, use this command to
59 obtain a PAG before issuing the B<klog> command (or include the
60 B<-setpag> argument to the B<klog> command). If a PAG
61 is not acquired, the Cache Manager stores the token in a credential structure
62 identified by local UID rather than PAG. This creates the potential
63 security exposure described in the B<Description> section.
65 If users of NFS client machines for which AFS is supported are to issue
66 this command as part of authenticating with AFS, do not use the B<fs
67 exportafs> command's B<-uidcheck on> argument to enable UID
68 checking on NFS/AFS Translator machines. Enabling UID checking prevents
69 this command from succeeding. See the reference page for the
72 If UID checking is not enabled on Translator machines, then by default it
73 is possible to issue this command on a properly configured NFS client machine
74 that is accessing AFS via the NFS/AFS Translator, assuming that the NFS client
75 machine is a supported system type. The B<pagsh> binary
76 accessed by the NFS client must be owned by, and grant setuid privilege to,
77 the local superuser B<root>. The complete set of mode bits must
78 be B<-rwsr-xr-x>. This is not a requirement when the command is
79 issued on AFS client machines.
81 However, if the translator machine's administrator has enabled UID
82 checking by including the B<-uidcheck on> argument to the B<fs
83 exportafs> command, the command fails with an error message similar to
87 Warning: Remote setpag to I<translator_machine> has failed (err=8). . .
88 setpag: Exec format error
92 In the following example, the issuer invokes the C shell instead of the
97 =head1 PRIVILEGE REQUIRED
109 IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
111 This documentation is covered by the IBM Public License Version 1.0. It was
112 converted from HTML to POD by software written by Chas Williams and Russ
113 Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.
git://git.openafs.org / openafs.git / blob