[OpenAFS-devel] Get no token when su-ing with sudo

Frank Bagehorn FBA@zurich.ibm.com
Wed, 27 Mar 2002 16:16:23 +0100 

Ok, let's try it:
First case (asks for password):
[heidegg]/u/fba1$ id
uid=24642(fba1) gid=202(is) groups=34051,44605,202(is)
[heidegg]/u/fba1$ sudo su -
AFS Password:
[root@heidegg /root]# id
uid=0(root) gid=0(root) 
groups=34051,44606,0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),12(mail),224(imnadm),11(news)

Second case:
[heidegg]/u/fba1$ id
uid=24642(fba1) gid=202(is) groups=34051,44605,202(is)
[heidegg]/u/fba1$ sudo su -
[root@heidegg /root]# id
uid=0(root) gid=0(root) 
groups=34051,44605,0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),12(mail),224(imnadm),11(news)

You're right. In the first case one of the magic groups is different, in 
the second case it's not.

Frank

----------------------------------------------------------------------
Dr. Frank Bagehorn
IBM Zurich Research Lab.
Saeumerstr. 4
CH-8803 Rueschlikon 
Switzerland
----------------------------------------------------------------------
SMTP: fba@zurich.ibm.com
Notes: Frank Bagehorn/Zurich/IBM@IBMCH
phone: ++41 (01) 724 83 23  fax: ++41 (01) 724 89 59



Derek Atkins <warlord@MIT.EDU>
03/27/2002 15:57
Please respond to Derek Atkins

 
        To:     Frank Bagehorn/Zurich/IBM@IBMCH
        cc:     openafs-devel@openafs.org
        Subject:        Re: [OpenAFS-devel] Get no token when su-ing with sudo


It looks like sudo is calling AFS in such a way that when it asks for
the password it creates a new PAG (but does not refresh the token)
whereas when sudo does not ask for a password it skips the AFS module
and therefore does not create a new PAG.

You could verify this theory by calling "id" before and after you sudo
commands.  The first time, where you don't have tokens, I bet the
PAG-magic-groups will be different, but in the second case, where you
do still have tokens, I bet they are they same.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available