[OpenAFS] pam-afs-session on OS X Lion

Russ Allbery rra@stanford.edu
Mon, 19 Dec 2011 13:05:49 -0800


Dave Botsch <botsch@cnf.cornell.edu> writes:

> I have no idea what Mac OS X does allow or does not allow. 

> Not sure what the screensaver process is... I do see
> ScreenSaverEngine.app running with my UID (uid 502).

> ps -ef |grep -i screen
>   502 40281  5044   0  3:15PM ??         9:03.54
> /System/Library/Frameworks/ScreenSaver.framework/Versions/A/Resources/ScreenSaverEngine.app/Contents/MacOS/ScreenSaverEngine

Well, I don't have a Mac OS X system, so while I'm happy to fix bugs in
pam-afs-session on that platform, I'm entirely reliant on analysis from
other people to figure out how to fix them.  On a traditional UNIX system,
if you're already UID 502, you can call setuid(502) freely and it always
succeeds.  Possible causes for the problem you saw are that Mac OS X is
not like a traditional UNIX system in this regard (which is easily fixable
by not calling setuid if getuid returns the target UID), the screen saver
is not running the PAM stack as either root or the logged-in user (in
which case it's just never going to work), or it was somehow picking up
the wrong UID for you (which appears to not be the case).

aklog always tries to run the aklog program as the user for which it's
establishing tokens so that it has proper access to the ticket cache and
so that the token is associated with the correct UID if PAGs aren't in
play.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>