[OpenAFS-devel] Re: setpag switch for afslog?
Jeffrey Hutzelman
jhutz@cmu.edu
Tue, 24 Feb 2004 13:04:45 -0500
On Tuesday, February 24, 2004 10:19:28 -0600 "Douglas E. Engert"
<deengert@anl.gov> wrote:
> It the system supports PAM, it could address (1) and (4)
> The PAG could be obtained in PAM, as long as the PAM routine is called
> from a process that will become the user's shell, or one of its parents.
> (This is related to the privsep problems. You indicate below that it is
> fixed) And do to the way PAGs are implemented, it needs to be done after
> the groups are set by a daemon.
Uh, no it doesn't. That's why we trap setgroups().
>> If it's only the GIDs, would it be possible for a daemon to exec some
>> kind of helper app, (something like klog -setpag, I guess), which
>> returns those GIDs on its stdout for the daemon to add to the user's
>> groups?
Yes and no. Yes, it's only the GID's, but no, that's an implementation
detail and exposing it to something like ssh would be a significant
abstraction violation. It also wouldn't work, since once you have a pag
you cannot change it by calling setgroups().
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA