[OpenAFS-devel] Get no token when su-ing with sudo

Derek Atkins warlord@MIT.EDU
27 Mar 2002 09:57:06 -0500 

It looks like sudo is calling AFS in such a way that when it asks for
the password it creates a new PAG (but does not refresh the token)
whereas when sudo does not ask for a password it skips the AFS module
and therefore does not create a new PAG.

You could verify this theory by calling "id" before and after you sudo
commands.  The first time, where you don't have tokens, I bet the
PAG-magic-groups will be different, but in the second case, where you
do still have tokens, I bet they are they same.

-derek

"Frank Bagehorn" <FBA@zurich.ibm.com> writes:

> Hi,
> I run in a problem with sudo. (The machine runs OpenAFS 1.2.3 on a RH 7.1, 
> latest RH fix kernel.)
> Having a token I run 'sudo su -' (which knows about the pam_afs). It'll 
> ask me for my AFS password
> and then do the su command. I end up being root without having a token any 
> longer.
> 
> [heidegg]/u/fba1$ tokens
> 
> Tokens held by the Cache Manager:
> 
> User's (AFS ID 24642) tokens for afs@zurich.ibm.com [Expires Mar 27 06:27]
>    --End of list--
> [tarasp]/u/fba1$ sudo su -
> AFS Password:
> [root@heidegg /root]# tokens
> 
> Tokens held by the Cache Manager:
> 
>    --End of list--
> [root@heidegg /root]#
> 
> I type 'exit' and do the same thing again. This time sudo will not ask for 
> the password (since it's configured to
> ask only it's >10 min since the last sudo command), I become root and 
> (surprise!) this time I still have my token.
> 
> [heidegg]/u/fba1$ tokens
> 
> Tokens held by the Cache Manager:
> 
> User's (AFS ID 24642) tokens for afs@zurich.ibm.com [Expires Mar 27 06:27]
>    --End of list--
> [heidegg]/u/fba1$ sudo su -
> [root@heidegg /root]# tokens
> 
> Tokens held by the Cache Manager:
> 
> User's (AFS ID 24642) tokens for afs@zurich.ibm.com [Expires Mar 27 06:27]
>    --End of list--
> [root@heidegg /root]#
> 
> This strangely remembers me the problem with ssh in version 1.2.2 . Does 
> sudo use different code in pam_afs,
> or what could be the reason ?
> 
> Regards
> Frank
> 
> ----------------------------------------------------------------------
> Dr. Frank Bagehorn
> IBM Zurich Research Lab.
> Saeumerstr. 4
> CH-8803 Rueschlikon 
> Switzerland
> ----------------------------------------------------------------------
> SMTP: fba@zurich.ibm.com
> Notes: Frank Bagehorn/Zurich/IBM@IBMCH
> phone: ++41 (01) 724 83 23  fax: ++41 (01) 724 89 59
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available