[OpenAFS] OpenAFS and sudo
Yvan Masson
yvan.masson@univ-savoie.fr
Tue, 27 Jan 2015 09:48:46 +0100
--=-FL3eT5zK9QBpe0H4yOcG
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Le samedi 24 janvier 2015 à 20:40 -0500, Benjamin Kaduk a écrit :
> On Fri, 23 Jan 2015, Yvan Masson wrote:
>
> > Le jeudi 22 janvier 2015 à 19:34 -0500, Jason Edgecombe a écrit :
> > > On 01/22/2015 12:53 PM, Yvan Masson wrote:
> > > > Thanks for your fast answers.
> > > >
> > > > Le mardi 20 janvier 2015 à 20:37 -0500, Jason Edgecombe a écrit :
> > > >> On 01/20/2015 03:46 PM, Benjamin Kaduk wrote:
> > > >>> Hi,
> > > >>>
> > > >>> On Tue, 20 Jan 2015, Yvan Masson wrote:
> > > >>>
> > > > The most important for me would just one command (for example "sudo
> > > > ls").
>
> Hmm, 'sudo ls' should not be invoking a new copy of the shell, IIRC, so I
> do not think that ~/.bash_logout or similar would be at fault.
>
> > > >> Is only the
> > > >>> terminal where sudo was run affected, or are other terminal windows
> > > >>> affected as well?
> > > > If I use sudo in gnome-terminal for example, the token is lost for this
> > > > terminal and for all my X session: this is my biggest problem. But if I
> > > > have also a running TTY, the token in my TTY is not destroyed.
> > > >>>> I suppose that I should do someting with PAM, probably
> > > >>>> in /etc/pam.d/sudo, but I don't know exactly what.
> > > >>> Well, it probably depends on whether the default (uid-based) pag is in
> > > >>> use, or a session-specific pag.
> > > >>>
> > > >>> I think that with jessie's kernel the pag information is stored in the
> > > >>> keyring, so 'keyctl show' before and after sudo is run may be helpful.
> > > > Pardon, but I don't know how to use this tool: can I run it from a
> > > > terminal ?
> > I finally understood that I needed the keyutils package... So if run
> > "keyctl show" before and after a sudo command, the results are exactly
> > identical :
> > $ keyctl show
> > Session Keyring
> > 901610366 ---lswrv 0 1000 keyring: _ses.2400
> > 130758458 ----s--v 0 0 \_ afs_pag: _pag
>
> Hmm, this leaves me somewhat confused.
>
> Is pam_afs_session present in any pam configuration files?
> (grep -r pam_afs_session /etc/pam.d)
Yes, pam_afs_session is in some pam files : common-auth, common-session
and common-session-noninteractive. These files are attached. Indeed, I
suppose something is wrong here.
>
> -Ben
--=-FL3eT5zK9QBpe0H4yOcG
Content-Disposition: attachment; filename="common-auth"
Content-Type: text/plain; name="common-auth"; charset="UTF-8"
Content-Transfer-Encoding: base64
IwojIC9ldGMvcGFtLmQvY29tbW9uLWF1dGggLSBhdXRoZW50aWNhdGlvbiBzZXR0aW5ncyBjb21t
b24gdG8gYWxsIHNlcnZpY2VzCiMKIyBUaGlzIGZpbGUgaXMgaW5jbHVkZWQgZnJvbSBvdGhlciBz
ZXJ2aWNlLXNwZWNpZmljIFBBTSBjb25maWcgZmlsZXMsCiMgYW5kIHNob3VsZCBjb250YWluIGEg
bGlzdCBvZiB0aGUgYXV0aGVudGljYXRpb24gbW9kdWxlcyB0aGF0IGRlZmluZQojIHRoZSBjZW50
cmFsIGF1dGhlbnRpY2F0aW9uIHNjaGVtZSBmb3IgdXNlIG9uIHRoZSBzeXN0ZW0KIyAoZS5nLiwg
L2V0Yy9zaGFkb3csIExEQVAsIEtlcmJlcm9zLCBldGMuKS4gIFRoZSBkZWZhdWx0IGlzIHRvIHVz
ZSB0aGUKIyB0cmFkaXRpb25hbCBVbml4IGF1dGhlbnRpY2F0aW9uIG1lY2hhbmlzbXMuCiMKIyBB
cyBvZiBwYW0gMS4wLjEtNiwgdGhpcyBmaWxlIGlzIG1hbmFnZWQgYnkgcGFtLWF1dGgtdXBkYXRl
IGJ5IGRlZmF1bHQuCiMgVG8gdGFrZSBhZHZhbnRhZ2Ugb2YgdGhpcywgaXQgaXMgcmVjb21tZW5k
ZWQgdGhhdCB5b3UgY29uZmlndXJlIGFueQojIGxvY2FsIG1vZHVsZXMgZWl0aGVyIGJlZm9yZSBv
ciBhZnRlciB0aGUgZGVmYXVsdCBibG9jaywgYW5kIHVzZQojIHBhbS1hdXRoLXVwZGF0ZSB0byBt
YW5hZ2Ugc2VsZWN0aW9uIG9mIG90aGVyIG1vZHVsZXMuICBTZWUKIyBwYW0tYXV0aC11cGRhdGUo
OCkgZm9yIGRldGFpbHMuCgojIGhlcmUgYXJlIHRoZSBwZXItcGFja2FnZSBtb2R1bGVzICh0aGUg
IlByaW1hcnkiIGJsb2NrKQphdXRoCVtzdWNjZXNzPTIgZGVmYXVsdD1pZ25vcmVdCXBhbV91bml4
LnNvIG51bGxva19zZWN1cmUKYXV0aAlbc3VjY2Vzcz0xIGRlZmF1bHQ9aWdub3JlXQlwYW1fa3Ji
NS5zbyBtaW5pbXVtX3VpZD0xMDAwIHRyeV9maXJzdF9wYXNzCiMgaGVyZSdzIHRoZSBmYWxsYmFj
ayBpZiBubyBtb2R1bGUgc3VjY2VlZHMKYXV0aAlyZXF1aXNpdGUJCQlwYW1fZGVueS5zbwojIHBy
aW1lIHRoZSBzdGFjayB3aXRoIGEgcG9zaXRpdmUgcmV0dXJuIHZhbHVlIGlmIHRoZXJlIGlzbid0
IG9uZSBhbHJlYWR5OwojIHRoaXMgYXZvaWRzIHVzIHJldHVybmluZyBhbiBlcnJvciBqdXN0IGJl
Y2F1c2Ugbm90aGluZyBzZXRzIGEgc3VjY2VzcyBjb2RlCiMgc2luY2UgdGhlIG1vZHVsZXMgYWJv
dmUgd2lsbCBlYWNoIGp1c3QganVtcCBhcm91bmQKYXV0aAlyZXF1aXJlZAkJCXBhbV9wZXJtaXQu
c28KIyBhbmQgaGVyZSBhcmUgbW9yZSBwZXItcGFja2FnZSBtb2R1bGVzICh0aGUgIkFkZGl0aW9u
YWwiIGJsb2NrKQphdXRoCW9wdGlvbmFsCQkJcGFtX2Fmc19zZXNzaW9uLnNvIAphdXRoCW9wdGlv
bmFsCQkJcGFtX2NhcC5zbyAKIyBlbmQgb2YgcGFtLWF1dGgtdXBkYXRlIGNvbmZpZwo=
--=-FL3eT5zK9QBpe0H4yOcG
Content-Disposition: attachment; filename="common-session"
Content-Type: text/plain; name="common-session"; charset="UTF-8"
Content-Transfer-Encoding: base64
IwojIC9ldGMvcGFtLmQvY29tbW9uLXNlc3Npb24gLSBzZXNzaW9uLXJlbGF0ZWQgbW9kdWxlcyBj
b21tb24gdG8gYWxsIHNlcnZpY2VzCiMKIyBUaGlzIGZpbGUgaXMgaW5jbHVkZWQgZnJvbSBvdGhl
ciBzZXJ2aWNlLXNwZWNpZmljIFBBTSBjb25maWcgZmlsZXMsCiMgYW5kIHNob3VsZCBjb250YWlu
IGEgbGlzdCBvZiBtb2R1bGVzIHRoYXQgZGVmaW5lIHRhc2tzIHRvIGJlIHBlcmZvcm1lZAojIGF0
IHRoZSBzdGFydCBhbmQgZW5kIG9mIHNlc3Npb25zIG9mICphbnkqIGtpbmQgKGJvdGggaW50ZXJh
Y3RpdmUgYW5kCiMgbm9uLWludGVyYWN0aXZlKS4KIwojIEFzIG9mIHBhbSAxLjAuMS02LCB0aGlz
IGZpbGUgaXMgbWFuYWdlZCBieSBwYW0tYXV0aC11cGRhdGUgYnkgZGVmYXVsdC4KIyBUbyB0YWtl
IGFkdmFudGFnZSBvZiB0aGlzLCBpdCBpcyByZWNvbW1lbmRlZCB0aGF0IHlvdSBjb25maWd1cmUg
YW55CiMgbG9jYWwgbW9kdWxlcyBlaXRoZXIgYmVmb3JlIG9yIGFmdGVyIHRoZSBkZWZhdWx0IGJs
b2NrLCBhbmQgdXNlCiMgcGFtLWF1dGgtdXBkYXRlIHRvIG1hbmFnZSBzZWxlY3Rpb24gb2Ygb3Ro
ZXIgbW9kdWxlcy4gIFNlZQojIHBhbS1hdXRoLXVwZGF0ZSg4KSBmb3IgZGV0YWlscy4KCiMgaGVy
ZSBhcmUgdGhlIHBlci1wYWNrYWdlIG1vZHVsZXMgKHRoZSAiUHJpbWFyeSIgYmxvY2spCnNlc3Np
b24JW2RlZmF1bHQ9MV0JCQlwYW1fcGVybWl0LnNvCiMgaGVyZSdzIHRoZSBmYWxsYmFjayBpZiBu
byBtb2R1bGUgc3VjY2VlZHMKc2Vzc2lvbglyZXF1aXNpdGUJCQlwYW1fZGVueS5zbwojIHByaW1l
IHRoZSBzdGFjayB3aXRoIGEgcG9zaXRpdmUgcmV0dXJuIHZhbHVlIGlmIHRoZXJlIGlzbid0IG9u
ZSBhbHJlYWR5OwojIHRoaXMgYXZvaWRzIHVzIHJldHVybmluZyBhbiBlcnJvciBqdXN0IGJlY2F1
c2Ugbm90aGluZyBzZXRzIGEgc3VjY2VzcyBjb2RlCiMgc2luY2UgdGhlIG1vZHVsZXMgYWJvdmUg
d2lsbCBlYWNoIGp1c3QganVtcCBhcm91bmQKc2Vzc2lvbglyZXF1aXJlZAkJCXBhbV9wZXJtaXQu
c28KIyBhbmQgaGVyZSBhcmUgbW9yZSBwZXItcGFja2FnZSBtb2R1bGVzICh0aGUgIkFkZGl0aW9u
YWwiIGJsb2NrKQpzZXNzaW9uCW9wdGlvbmFsCQkJcGFtX2tyYjUuc28gbWluaW11bV91aWQ9MTAw
MApzZXNzaW9uCXJlcXVpcmVkCXBhbV91bml4LnNvIApzZXNzaW9uCW9wdGlvbmFsCQkJcGFtX2Fm
c19zZXNzaW9uLnNvIApzZXNzaW9uCW9wdGlvbmFsCQkJcGFtX2NrX2Nvbm5lY3Rvci5zbyBub3gx
MQpzZXNzaW9uIG9wdGlvbmFsCXBhbV9zeXN0ZW1kLnNvCiMgZW5kIG9mIHBhbS1hdXRoLXVwZGF0
ZSBjb25maWcK
--=-FL3eT5zK9QBpe0H4yOcG
Content-Disposition: attachment; filename="common-session-noninteractive"
Content-Type: text/plain; name="common-session-noninteractive"; charset="UTF-8"
Content-Transfer-Encoding: base64
IwojIC9ldGMvcGFtLmQvY29tbW9uLXNlc3Npb24tbm9uaW50ZXJhY3RpdmUgLSBzZXNzaW9uLXJl
bGF0ZWQgbW9kdWxlcwojIGNvbW1vbiB0byBhbGwgbm9uLWludGVyYWN0aXZlIHNlcnZpY2VzCiMK
IyBUaGlzIGZpbGUgaXMgaW5jbHVkZWQgZnJvbSBvdGhlciBzZXJ2aWNlLXNwZWNpZmljIFBBTSBj
b25maWcgZmlsZXMsCiMgYW5kIHNob3VsZCBjb250YWluIGEgbGlzdCBvZiBtb2R1bGVzIHRoYXQg
ZGVmaW5lIHRhc2tzIHRvIGJlIHBlcmZvcm1lZAojIGF0IHRoZSBzdGFydCBhbmQgZW5kIG9mIGFs
bCBub24taW50ZXJhY3RpdmUgc2Vzc2lvbnMuCiMKIyBBcyBvZiBwYW0gMS4wLjEtNiwgdGhpcyBm
aWxlIGlzIG1hbmFnZWQgYnkgcGFtLWF1dGgtdXBkYXRlIGJ5IGRlZmF1bHQuCiMgVG8gdGFrZSBh
ZHZhbnRhZ2Ugb2YgdGhpcywgaXQgaXMgcmVjb21tZW5kZWQgdGhhdCB5b3UgY29uZmlndXJlIGFu
eQojIGxvY2FsIG1vZHVsZXMgZWl0aGVyIGJlZm9yZSBvciBhZnRlciB0aGUgZGVmYXVsdCBibG9j
aywgYW5kIHVzZQojIHBhbS1hdXRoLXVwZGF0ZSB0byBtYW5hZ2Ugc2VsZWN0aW9uIG9mIG90aGVy
IG1vZHVsZXMuICBTZWUKIyBwYW0tYXV0aC11cGRhdGUoOCkgZm9yIGRldGFpbHMuCgojIGhlcmUg
YXJlIHRoZSBwZXItcGFja2FnZSBtb2R1bGVzICh0aGUgIlByaW1hcnkiIGJsb2NrKQpzZXNzaW9u
CVtkZWZhdWx0PTFdCQkJcGFtX3Blcm1pdC5zbwojIGhlcmUncyB0aGUgZmFsbGJhY2sgaWYgbm8g
bW9kdWxlIHN1Y2NlZWRzCnNlc3Npb24JcmVxdWlzaXRlCQkJcGFtX2Rlbnkuc28KIyBwcmltZSB0
aGUgc3RhY2sgd2l0aCBhIHBvc2l0aXZlIHJldHVybiB2YWx1ZSBpZiB0aGVyZSBpc24ndCBvbmUg
YWxyZWFkeTsKIyB0aGlzIGF2b2lkcyB1cyByZXR1cm5pbmcgYW4gZXJyb3IganVzdCBiZWNhdXNl
IG5vdGhpbmcgc2V0cyBhIHN1Y2Nlc3MgY29kZQojIHNpbmNlIHRoZSBtb2R1bGVzIGFib3ZlIHdp
bGwgZWFjaCBqdXN0IGp1bXAgYXJvdW5kCnNlc3Npb24JcmVxdWlyZWQJCQlwYW1fcGVybWl0LnNv
CiMgYW5kIGhlcmUgYXJlIG1vcmUgcGVyLXBhY2thZ2UgbW9kdWxlcyAodGhlICJBZGRpdGlvbmFs
IiBibG9jaykKc2Vzc2lvbglvcHRpb25hbAkJCXBhbV9rcmI1LnNvIG1pbmltdW1fdWlkPTEwMDAK
c2Vzc2lvbglyZXF1aXJlZAlwYW1fdW5peC5zbyAKc2Vzc2lvbglvcHRpb25hbAkJCXBhbV9hZnNf
c2Vzc2lvbi5zbyAKIyBlbmQgb2YgcGFtLWF1dGgtdXBkYXRlIGNvbmZpZwo=
--=-FL3eT5zK9QBpe0H4yOcG--