[OpenAFS] Obtaining tokens at login on Ubuntu 18.04

Benjamin Kaduk kaduk@mit.edu
Sun, 19 Aug 2018 12:42:35 -0500


On Sat, Aug 18, 2018 at 06:46:17PM -0400, Prasad K. Dharmasena wrote:
> >
> > pam_afs_session "nopag" should be used in conjunction with USM.
> 
> 
> If no PAG is set, the 'two advantages' described in
> http://docs.openafs.org/Reference/1/pagsh.html go away.  Specifically, this
> part "If the credential structure is identified by a UNIX UID rather than a
> PAG, then the local superuser root can assume a UNIX UID and use any tokens
> associated with that UID." is unacceptable for us. Traditionally, we've had
> departmental admins and lab managers who have root access to machines but
> no rights to users' AFS directories.  I believe, this is the point you made
> in the systemd/issues thread.
> 
> So, we must pick our poison?  A: live w/o '"systemctl --user" and all that
> stuff'  or B: pam_afs_session with 'nopag'

I believe that's the current state of affairs.  Perhaps the most fruitful
avenue to pursue for changing it would be to convince Lennart and the
systemd folks of the merits of the security model with finer-grained
credentials than per-UID.  (I do not expect this to be easy, though, as
a truly malicious process of the same UID could replace dotfiles, (some)
binaries on PATH, etc., to pilfer credentials and perform other mayhem.)

-Ben