[OpenAFS] OpenAFS and sudo

Yvan Masson yvan.masson@univ-savoie.fr
Thu, 22 Jan 2015 18:53:15 +0100 

Thanks for your fast answers.

Le mardi 20 janvier 2015 à 20:37 -0500, Jason Edgecombe a écrit :
> On 01/20/2015 03:46 PM, Benjamin Kaduk wrote:
> > Hi,
> >
> > On Tue, 20 Jan 2015, Yvan Masson wrote:
> >
> >> Hi,
> >>
> >> I'm currently preparing the installation of Debian 8 Jessie (the current
> >> almost stable) workstations in an OpenAFS environment. Users can log in
> >> with theirs AFS credentials.
> >> My problem is that if a user use the "sudo" command, he looses his afs
> >> token. After that, the user can use "aklog" to get a new token. The
> >> Kerberos tickets are not destroyed.
> > I don't use sudo on my debian machines (just su), so I think you may need
> > to clarify a bit more: is sudo being used to run a single command with
> > privilege, or to run an interactive shell (as in sudo -i)? 
The most important for me would just one command (for example "sudo
ls").
> Is only the
> > terminal where sudo was run affected, or are other terminal windows
> > affected as well?
If I use sudo in gnome-terminal for example, the token is lost for this
terminal and for all my X session: this is my biggest problem. But if I
have also a running TTY, the token in my TTY is not destroyed.
> >> I suppose that I should do someting with PAM, probably
> >> in /etc/pam.d/sudo, but I don't know exactly what.
> > Well, it probably depends on whether the default (uid-based) pag is in
> > use, or a session-specific pag.
> >
> > I think that with jessie's kernel the pag information is stored in the
> > keyring, so 'keyctl show' before and after sudo is run may be helpful.
Pardon, but I don't know how to use this tool: can I run it from a
terminal ?

> Here is another data point from my experience on RHEL5 with 
> pam_afs_session. I've noticed the following functionality:
> 
> command        keeps tokens
> 'sudo -i'                    no
> 'sudo -s'                   yes
> 'sudo /bin/bash'     yes
For all of these commands, I keep the token while I am root, but it is
destroyed when I type "exit".