[OpenAFS] Problems between group-based PAGs and linux kernel
keyrings
Felix Frank
Felix.Frank@Desy.de
Wed, 17 Jun 2009 13:55:43 +0200
Chas Williams (CONTRACTOR) wrote (Wed Jun 17 2009 13:42:11 GMT+0200 (CEST))
> In message <20090617083536.GA9791@afs.mcc.ac.uk>,Dr A V Le Blanc writes:
>> I log in under gdm, which knows nothing of afs, and in a window,
>> I get a new PAG. 'keyctl show' shows that the session number for
>> the afs_pag has changed. I am also careful to have a randomised name
>> for my kerberos credentials file. In this new PAG I kinit and run aklog.
>> I now have tokens.
>>
>> I open a new window, which should not be in the same PAG, and type
>> 'tokens'. I have tokens! Somehow my PAG has got taken over by the
>> window manager, or so it appears. In the past, with group-based
>> PAGs, this could not happen. Now it seems my credentials can wander
>> out of the process and the PAG into which I tried to isolate them.
>
> how did you open a new window such that it was not in the same pag?
> unless you do something like pagsh (or fiddle with keyctl) anyone
> using the same keyring will share the same pag. aklog doesnt create
> a new pag.
The way I understood it, the original window runs a pagsh. Tokens that
are retrieved from inside that pagsh should not be visible for any
process outside it. Correct?