[OpenAFS-devel] Get no token when su-ing with sudo

Derek Atkins warlord@MIT.EDU
27 Mar 2002 10:32:02 -0500 

Your best bet, probably, is to change sudo to not create a PAG.
I don't know the magic pam_afs incantation..  Perhaps -no-setpag?

-derek

"Frank Bagehorn" <FBA@zurich.ibm.com> writes:

> Ok, let's try it:
> First case (asks for password):
> [heidegg]/u/fba1$ id
> uid=24642(fba1) gid=202(is) groups=34051,44605,202(is)
> [heidegg]/u/fba1$ sudo su -
> AFS Password:
> [root@heidegg /root]# id
> uid=0(root) gid=0(root) 
> groups=34051,44606,0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),12(mail),224(imnadm),11(news)
> 
> Second case:
> [heidegg]/u/fba1$ id
> uid=24642(fba1) gid=202(is) groups=34051,44605,202(is)
> [heidegg]/u/fba1$ sudo su -
> [root@heidegg /root]# id
> uid=0(root) gid=0(root) 
> groups=34051,44605,0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),12(mail),224(imnadm),11(news)
> 
> You're right. In the first case one of the magic groups is different, in 
> the second case it's not.
> 
> Frank
> 
> ----------------------------------------------------------------------
> Dr. Frank Bagehorn
> IBM Zurich Research Lab.
> Saeumerstr. 4
> CH-8803 Rueschlikon 
> Switzerland
> ----------------------------------------------------------------------
> SMTP: fba@zurich.ibm.com
> Notes: Frank Bagehorn/Zurich/IBM@IBMCH
> phone: ++41 (01) 724 83 23  fax: ++41 (01) 724 89 59
> 
> 
> 
> Derek Atkins <warlord@MIT.EDU>
> 03/27/2002 15:57
> Please respond to Derek Atkins
> 
>  
>         To:     Frank Bagehorn/Zurich/IBM@IBMCH
>         cc:     openafs-devel@openafs.org
>         Subject:        Re: [OpenAFS-devel] Get no token when su-ing with sudo
> 
> 
> It looks like sudo is calling AFS in such a way that when it asks for
> the password it creates a new PAG (but does not refresh the token)
> whereas when sudo does not ask for a password it skips the AFS module
> and therefore does not create a new PAG.
> 
> You could verify this theory by calling "id" before and after you sudo
> commands.  The first time, where you don't have tokens, I bet the
> PAG-magic-groups will be different, but in the second case, where you
> do still have tokens, I bet they are they same.
> 
> -derek
> 
> -- 
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available
> 
> 
> 

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available