[OpenAFS] Solaris and AFS
Charles Clancy
security@xauth.net
Sat, 1 Feb 2003 14:49:20 -0600 (CST)
On Fri, 31 Jan 2003, John Rudd wrote:
> However, under Solaris (2.6, 7, and 8 at least), this seperation doesn't
> occur. In the above case with one UID logged in twice, renewing your
> tokens in one session DOES bennefit the other session. Or, in the above
> web server example, we also have a solaris web server which can be
> refreshed from an external session that runs as the same UID.
> Convenient, but not very secure.
pam_afs.so will automatically get a PAG for you. If you're klog-ing by
hand, you'll need to "klog -setpag". Also, a few releases back, the
-setpag on klog was broken, so make sure you use a recent release.
Authenticated webservers could be started with a script similar to:
#!/bin/sh
case "$1" in
start)
pagsh -c 'klog wwwuser -passwd xxx; apachectl start'
;;
*)
apachectl $*
;;
(of course, you'd want to specify the full path for all those commands)
[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]