[OpenAFS] PAGs aklog and PAM

Charles Clancy mgrtcc@cs.rose-hulman.edu
Tue, 12 Jun 2001 08:52:07 -0500 (EST)

Looking at the pam_openafs_session PAM module, I don't see how it could
work.  As I understand it, it does the following:
  1. fork
  2. setuid (user logging in)
  3. exec aklog -setpag

aklog is executed, creates a new PAG, grabs a token for the new PAG, and
then dies.  The token dies with the PAG which dies with aklog.  The person
logging in never gets the token.  This is what I experienced when trying
to use it.

Now, without the -setpag, someone with ruid=(user logging in) would get
the token.  However, many daemons (such as proftp and samba) run with
ruid=0 and euid=(user logging in).  If you change the setuid above to a
seteuid, then if you have more then one person FTPing or SAMBAing in,
their tokens clobber each other, since the tokens all end up in the hands
of the root user.  Believe me, its very annoying to do administration on a
machine where every 30 seconds a stupid webcam FTPs in and clobbers your
admin token.

So, I updated my version of the PAM module to do the following:
  1. #include<afs/param.h> ... setpag();
  2. fork
  3. setuid (user logging in)
  4. exec aklog

This seems to work.  As I understand it, I don't need the setuid, because
the token obtained with aklog will follow the PAG, not the UID.  Since PAM
is all dynamically linked modules, the PAG I obtain here translates back
to the actual daemon doing the authentication.  Is this correct?

      Charles Clancy -- mgrtcc@cs.rose-hulman.edu
Senior UNIX Administrator, Rose-Hulman Computer Science