[OpenAFS] Solaris and AFS

John Rudd jrudd@ucsc.edu
Fri, 31 Jan 2003 16:42:55 -0800


[originally sent to the newsgroup, but a colleague said I might get
better response here]



Under SunOS 4.x and AFS, different user sessions have different tokens. 
So, if you log in to a SunOS 4 box from two different locations, and
stay logged in long enough for your AFS tokens to expire ... you can
then renew one session and it will not apply to the other session.  This
is a nice and useful security feature.  One example is that we run a web
server with an AFS token because our htdocs are in AFS space.  If the
tokens expire, either the server must be re-started (via a pagrun type
script, where it will get new tokens and then exec the httpd), or you
must access a shell script via cgi-bin which does the re-aquiring of
tokens for you.  If you run that same shell script as the same UID which
is running httpd, but from a different session, it does you no good.


However, under Solaris (2.6, 7, and 8 at least), this seperation doesn't
occur.  In the above case with one UID logged in twice, renewing your
tokens in one session DOES bennefit the other session.  Or, in the above
web server example, we also have a solaris web server which can be
refreshed from an external session that runs as the same UID. 
Convenient, but not very secure.


Is this a known problem with AFS and Solaris?  (or was the known problem
with SunOS 4? it'd be unfortunate if that behavior was a bug)  Is it a
fixable problem with AFS and Solaris?  Are there plans to fix it
(probably within OpenAFS, since transarc/ibm AFS is being end-of-lifed)?

Is this problem known to exist on other unices (with AFS or OpenAFS)? 
Is it maybe a BSD-ish vs Sys-V-ish problem?  Meaning we'd get the SunOS4
type behavior from FreeBSD, Darwin, and MacOS X, but we'd get the
Solaris type behavior from other Sys-V based platforms?  (and, which
behavior is seen under Linux?)


Thanks for any answers/insite/etc.


John Rudd