[OpenAFS] Problems between group-based PAGs and linux kernel keyrings
Chas Williams (CONTRACTOR)
Wed, 17 Jun 2009 07:42:11 -0400
In message <20090617083536.GA9791@afs.mcc.ac.uk>,Dr A V Le Blanc writes:
>I log in under gdm, which knows nothing of afs, and in a window,
>I get a new PAG. 'keyctl show' shows that the session number for
>the afs_pag has changed. I am also careful to have a randomised name
>for my kerberos credentials file. In this new PAG I kinit and run aklog.
>I now have tokens.
>I open a new window, which should not be in the same PAG, and type
>'tokens'. I have tokens! Somehow my PAG has got taken over by the
>window manager, or so it appears. In the past, with group-based
>PAGs, this could not happen. Now it seems my credentials can wander
>out of the process and the PAG into which I tried to isolate them.
how did you open a new window such that it was not in the same pag?
unless you do something like pagsh (or fiddle with keyctl) anyone
using the same keyring will share the same pag. aklog doesnt create
a new pag.