[OpenAFS-devel] Get no token when su-ing with sudo
Frank Bagehorn
FBA@zurich.ibm.com
Thu, 28 Mar 2002 08:50:21 +0100
>> root is a local user on the machines, so I'm using the 'ignore_root'
>> setting in the PAM configuration already. I added now the
>> 'refresh_tokens' option, but that doesn't change the behavior at all.
>> I still end up without a token after I typed in the password.
>
> Okay -- it looks like a bug (or at least incompatability) with sudo. The
> sudo PAM client calls "pam_authenticate" on the AFS user authenticating,
> but then calls "pam_setcred" and "pam_opensession" on the user you're
> switching to. PAM (at least the pam_afs module) isn't designed to
> authenticate as one user, and then open a session for another.
Well that's not really the case: I don't want to run with a "root" token
later on. (If that is what you mean
with "open a session for another") The token I want to have in the end, is
the one of my (admin) AFS
id.
Or in other words: I am logged in as "fba1" and have a token for "fba1". I
do 'sudo su -' and I want to
end up logged in as "root" but again with a token for "fba1". I just want
to keep/renew that token.
(The ability to do certain things as root and to access certain
files/scripts etc. as "system:administrator"
or member of a certain AFS group go hand in hand...)
Frank
----------------------------------------------------------------------
Dr. Frank Bagehorn
IBM Zurich Research Lab.
Saeumerstr. 4
CH-8803 Rueschlikon
Switzerland
----------------------------------------------------------------------
SMTP: fba@zurich.ibm.com
Notes: Frank Bagehorn/Zurich/IBM@IBMCH
phone: ++41 (01) 724 83 23 fax: ++41 (01) 724 89 59