[OpenAFS] PAG issues with ssh

Russ Allbery rra@stanford.edu
Wed, 21 Sep 2005 12:15:09 -0700

Jim Rees <rees@umich.edu> writes:

> Why not acquire a new pag with no tokens when you start a service?
> That's what I do.

That's what I do too, but the PAG is still inherited by all processes
started by that service.  So, in the case of cron, if you have users who
obtain AFS tokens in cron jobs, they have to do it properly or they leak
their tokens to all other cron jobs on the system.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>