[OpenAFS] OpenAFS and sudo

Yvan Masson yvan.masson@univ-savoie.fr
Fri, 23 Jan 2015 17:37:57 +0100


Le jeudi 22 janvier 2015 à 19:34 -0500, Jason Edgecombe a écrit :
> On 01/22/2015 12:53 PM, Yvan Masson wrote:
> > Thanks for your fast answers.
> >
> > Le mardi 20 janvier 2015 à 20:37 -0500, Jason Edgecombe a écrit :
> >> On 01/20/2015 03:46 PM, Benjamin Kaduk wrote:
> >>> Hi,
> >>>
> >>> On Tue, 20 Jan 2015, Yvan Masson wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> I'm currently preparing the installation of Debian 8 Jessie (the current
> >>>> almost stable) workstations in an OpenAFS environment. Users can log in
> >>>> with theirs AFS credentials.
> >>>> My problem is that if a user use the "sudo" command, he looses his afs
> >>>> token. After that, the user can use "aklog" to get a new token. The
> >>>> Kerberos tickets are not destroyed.
> >>> I don't use sudo on my debian machines (just su), so I think you may need
> >>> to clarify a bit more: is sudo being used to run a single command with
> >>> privilege, or to run an interactive shell (as in sudo -i)?
> > The most important for me would just one command (for example "sudo
> > ls").
> >> Is only the
> >>> terminal where sudo was run affected, or are other terminal windows
> >>> affected as well?
> > If I use sudo in gnome-terminal for example, the token is lost for this
> > terminal and for all my X session: this is my biggest problem. But if I
> > have also a running TTY, the token in my TTY is not destroyed.
> >>>> I suppose that I should do someting with PAM, probably
> >>>> in /etc/pam.d/sudo, but I don't know exactly what.
> >>> Well, it probably depends on whether the default (uid-based) pag is in
> >>> use, or a session-specific pag.
> >>>
> >>> I think that with jessie's kernel the pag information is stored in the
> >>> keyring, so 'keyctl show' before and after sudo is run may be helpful.
> > Pardon, but I don't know how to use this tool: can I run it from a
> > terminal ?
I finally understood that I needed the keyutils package... So if run
"keyctl show" before and after a sudo command, the results are exactly
identical :
$ keyctl show
Session Keyring
 901610366 ---lswrv      0  1000  keyring: _ses.2400
 130758458 ----s--v      0     0   \_ afs_pag: _pag
> >
> >> Here is another data point from my experience on RHEL5 with
> >> pam_afs_session. I've noticed the following functionality:
> >>
> >> command        keeps tokens
> >> 'sudo -i'                    no
> >> 'sudo -s'                   yes
> >> 'sudo /bin/bash'     yes
> > For all of these commands, I keep the token while I am root, but it is
> > destroyed when I type "exit".
> >
> It sounds like you have the 'unlog' program somewhere in your logout 
> script. I think that unlog shuold be handled by your PAM afs module.
Sorry but I do not know where "unlog" could be run after a sudo... I check
in ~/.bash_logout but it is not here. Could you tell me where I should look for ?
Regards, Yvan
> Jason