[OpenAFS] OpenAFS and sudo

Benjamin Kaduk kaduk@MIT.EDU
Sat, 24 Jan 2015 20:40:02 -0500 (EST) 

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

---559023410-310515372-1422150002=:23489
Content-Type: TEXT/PLAIN; charset=UTF-8
Content-Transfer-Encoding: QUOTED-PRINTABLE

On Fri, 23 Jan 2015, Yvan Masson wrote:

> Le jeudi 22 janvier 2015 =C3=A0 19:34 -0500, Jason Edgecombe a =C3=A9crit=
 :
> > On 01/22/2015 12:53 PM, Yvan Masson wrote:
> > > Thanks for your fast answers.
> > >
> > > Le mardi 20 janvier 2015 =C3=A0 20:37 -0500, Jason Edgecombe a =C3=A9=
crit :
> > >> On 01/20/2015 03:46 PM, Benjamin Kaduk wrote:
> > >>> Hi,
> > >>>
> > >>> On Tue, 20 Jan 2015, Yvan Masson wrote:
> > >>>
> > > The most important for me would just one command (for example "sudo
> > > ls").

Hmm, 'sudo ls' should not be invoking a new copy of the shell, IIRC, so I
do not think that ~/.bash_logout or similar would be at fault.

> > >> Is only the
> > >>> terminal where sudo was run affected, or are other terminal windows
> > >>> affected as well?
> > > If I use sudo in gnome-terminal for example, the token is lost for th=
is
> > > terminal and for all my X session: this is my biggest problem. But if=
 I
> > > have also a running TTY, the token in my TTY is not destroyed.
> > >>>> I suppose that I should do someting with PAM, probably
> > >>>> in /etc/pam.d/sudo, but I don't know exactly what.
> > >>> Well, it probably depends on whether the default (uid-based) pag is=
 in
> > >>> use, or a session-specific pag.
> > >>>
> > >>> I think that with jessie's kernel the pag information is stored in =
the
> > >>> keyring, so 'keyctl show' before and after sudo is run may be helpf=
ul.
> > > Pardon, but I don't know how to use this tool: can I run it from a
> > > terminal ?
> I finally understood that I needed the keyutils package... So if run
> "keyctl show" before and after a sudo command, the results are exactly
> identical :
> $ keyctl show
> Session Keyring
>  901610366 ---lswrv      0  1000  keyring: _ses.2400
>  130758458 ----s--v      0     0   \_ afs_pag: _pag

Hmm, this leaves me somewhat confused.

Is pam_afs_session present in any pam configuration files?
(grep -r pam_afs_session /etc/pam.d)

-Ben
---559023410-310515372-1422150002=:23489--