[OpenAFS] What's a PAG? (was Re: What's the status of 2.6 linux kernel support?)

Todd M. Lewis openafs-info@openafs.org
Thu, 05 Aug 2004 08:50:34 -0400

Andreas wrote:
> For the ones (like me) not well versed into kernel development, what 
> exactly is a "PAG"? :)

Oooh, a good easy question to start the day!  Here's a cut-n-paste from 
the pagsh docs:
------- 8>< 8>< 8>< -------------
A PAG is a number guaranteed to identify the issuer of commands in the 
new shell uniquely to the local Cache Manager. The PAG is used, instead 
of the issuer's UNIX UID, to identify the issuer in the credential 
structure that the Cache Manager creates to track each user.

Any tokens acquired subsequently (presumably for other cells) become 
associated with the PAG, rather than with the user's UNIX UID. This 
method for distinguishing users has two advantages.

     * It means that processes spawned by the user inherit the PAG and 
so share the token; thus they gain access to AFS as the authenticated 
user. In many environments, for example, printer and other daemons run 
under identities (such as the local superuser root) that the AFS server 
processes recognize only as anonymous. Unless PAGs are used, such 
daemons cannot access files in directories whose access control lists 
(ACLs) do not extend permissions to the system:anyuser group.

     * It closes a potential security loophole: UNIX allows anyone 
already logged in as the local superuser root on a machine to assume any 
other identity by issuing the UNIX su command. If the credential 
structure is identified by a UNIX UID rather than a PAG, then the local 
superuser root can assume a UNIX UID and use any tokens associated with 
that UID. Use of a PAG as an identifier eliminates that possibility.


Each PAG created uses two of the memory slots that the kernel uses to 
record the UNIX groups associated with a user.
------- 8>< 8>< 8>< -------------

That last line is important, and should probably read "...record the 
UNIX groups associated with a *process*." Since a process's association 
with an authentication token is stored in the process group array, it 
gets inherited in exactly the same way (by the same mechanism in fact) 
that processes group memberships are inherited.  That's why having the 
setgroups() call do the Right Thing is important for AFS. That's also 
why it's called a "Process Authentication Group" rather than, say, a 
"Process Authentication Magical-thingy-do".
    / Todd_Lewis@unc.edu  919-962-5273  http://www.unc.edu/~utoddl /
   /             My wife really likes to make pottery,            /
  /                but to me it's just kiln time.                /