[OpenAFS] OpenAFS and sudo
Sat, 24 Jan 2015 20:40:02 -0500 (EST)
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Content-Type: TEXT/PLAIN; charset=UTF-8
On Fri, 23 Jan 2015, Yvan Masson wrote:
> Le jeudi 22 janvier 2015 =C3=A0 19:34 -0500, Jason Edgecombe a =C3=A9crit=
> > On 01/22/2015 12:53 PM, Yvan Masson wrote:
> > > Thanks for your fast answers.
> > >
> > > Le mardi 20 janvier 2015 =C3=A0 20:37 -0500, Jason Edgecombe a =C3=A9=
> > >> On 01/20/2015 03:46 PM, Benjamin Kaduk wrote:
> > >>> Hi,
> > >>>
> > >>> On Tue, 20 Jan 2015, Yvan Masson wrote:
> > >>>
> > > The most important for me would just one command (for example "sudo
> > > ls").
Hmm, 'sudo ls' should not be invoking a new copy of the shell, IIRC, so I
do not think that ~/.bash_logout or similar would be at fault.
> > >> Is only the
> > >>> terminal where sudo was run affected, or are other terminal windows
> > >>> affected as well?
> > > If I use sudo in gnome-terminal for example, the token is lost for th=
> > > terminal and for all my X session: this is my biggest problem. But if=
> > > have also a running TTY, the token in my TTY is not destroyed.
> > >>>> I suppose that I should do someting with PAM, probably
> > >>>> in /etc/pam.d/sudo, but I don't know exactly what.
> > >>> Well, it probably depends on whether the default (uid-based) pag is=
> > >>> use, or a session-specific pag.
> > >>>
> > >>> I think that with jessie's kernel the pag information is stored in =
> > >>> keyring, so 'keyctl show' before and after sudo is run may be helpf=
> > > Pardon, but I don't know how to use this tool: can I run it from a
> > > terminal ?
> I finally understood that I needed the keyutils package... So if run
> "keyctl show" before and after a sudo command, the results are exactly
> identical :
> $ keyctl show
> Session Keyring
> 901610366 ---lswrv 0 1000 keyring: _ses.2400
> 130758458 ----s--v 0 0 \_ afs_pag: _pag
Hmm, this leaves me somewhat confused.
Is pam_afs_session present in any pam configuration files?
(grep -r pam_afs_session /etc/pam.d)