[OpenAFS] Problems between group-based PAGs and linux kernel keyrings
Chas Williams (CONTRACTOR)
Wed, 17 Jun 2009 08:12:39 -0400
In message <4A38D987.4000100@Desy.de>,Felix Frank writes:
>Chas Williams (CONTRACTOR) wrote (Wed Jun 17 2009 13:42:11 GMT+0200 (CEST))
>> In message <20090617083536.GA9791@afs.mcc.ac.uk>,Dr A V Le Blanc writes:
>>> I log in under gdm, which knows nothing of afs, and in a window,
>>> I get a new PAG. 'keyctl show' shows that the session number for
>>> the afs_pag has changed. I am also careful to have a randomised name
>>> for my kerberos credentials file. In this new PAG I kinit and run aklog.
>>> I now have tokens.
>>> I open a new window, which should not be in the same PAG, and type
>>> 'tokens'. I have tokens! Somehow my PAG has got taken over by the
>>> window manager, or so it appears. In the past, with group-based
>>> PAGs, this could not happen. Now it seems my credentials can wander
>>> out of the process and the PAG into which I tried to isolate them.
>> how did you open a new window such that it was not in the same pag?
>> unless you do something like pagsh (or fiddle with keyctl) anyone
>> using the same keyring will share the same pag. aklog doesnt create
>> a new pag.
>The way I understood it, the original window runs a pagsh. Tokens that
>are retrieved from inside that pagsh should not be visible for any
>process outside it. Correct?
when you login with gdm a new keyring should be created for all the
processes associated with this login session. this is part of pam
as i recall. any windows you open during this login session will be
associated with this keyring unless you take special measures to escape
the default keyring.