[OpenAFS] Problems between group-based PAGs and linux kernel keyrings

[Chas Williams (CONTRACTOR)]

In message <4A38D987.4000100@Desy.de>,Felix Frank writes:
>Chas Williams (CONTRACTOR) wrote (Wed Jun 17 2009 13:42:11 GMT+0200 (CEST))
>> In message <20090617083536.GA9791@afs.mcc.ac.uk>,Dr A V Le Blanc writes:
>>> I log in under gdm, which knows nothing of afs, and in a window,
>>> I get a new PAG.  'keyctl show' shows that the session number for
>>> the afs_pag has changed.  I am also careful to have a randomised name
>>> for my kerberos credentials file.  In this new PAG I kinit and run aklog.
>>> I now have tokens.
>>>
>>> I open a new window, which should not be in the same PAG, and type
>>> 'tokens'.  I have tokens!  Somehow my PAG has got taken over by the
>>> window manager, or so it appears.  In the past, with group-based
>>> PAGs, this could not happen.  Now it seems my credentials can wander
>>> out of the process and the PAG into which I tried to isolate them.
>> 
>> how did you open a new window such that it was not in the same pag?
>> unless you do something like pagsh (or fiddle with keyctl) anyone
>> using the same keyring will share the same pag.  aklog doesnt create
>> a new pag.
>
>The way I understood it, the original window runs a pagsh. Tokens that 
>are retrieved from inside that pagsh should not be visible for any 
>process outside it. Correct?

when you login with gdm a new keyring should be created for all the
processes associated with this login session.  this is part of pam
as i recall.  any windows you open during this login session will be
associated with this keyring unless you take special measures to escape
the default keyring.