[OpenAFS-devel] [LKML] Re: In-kernel Authentication Tokens (PAGs)

[Tomas Olsson]

Kyle Moffett <mrmacman_g4@mac.com> writes:

> Most likely you wouldn't attach a key to the UID except for a chrooted
> BIND or something.  For users, the PAM module would use its internal
> policy to attach a new session's context to the key-ring used by the
> other sessions.
>
How does the PAM locate/keep track of that specific ring?

> I am unfamiliar with the "PAG jail", can you please explain this
> concept to me?
> 
Currently, once a process has an explicit PAG, it cannot use the default
PAG, or any PAG of its ancestors. The same holds for all its descendants.
You can't escape your PAG, you can only allocate a new one (a "sub-jail"),
which hides the previous one.

/Tomas