[OpenAFS] Redux: Linux: systemctl --user vs. AFS
Thu, 5 Aug 2021 17:11:23 +0000 (UTC)
> That approach sounds interesting. Are the specifics documented anywhere f=
or someone wanting to replicate and evaluate it?
It is as basic as it sounds. Setting up sssd is documented in its manpages =
and gets as complicated and messy as your site requires.
user@.service: We literally changed the ExecStart=3D directive to a shell s=
cript that reads like:
if [ ! $guard-against-system-accounts ]; then
=C2=A0=C2=A0=C2=A0 export KRB5CCNAME=3D/path/to/cache-depending-on-$(id -u)
exec /path/to/systemd --user
> I have also enjoyed this functionality historically. My worry though is i=
f you use nopag everywhere, but then use pags for admin tasks, what happens=
if you accidentally start a shared process (sshd, etc) from an admin PAG w=
hen you and/or the process are assuming tokens are per-uid, rather than per=
> To the best of my knowledge, there's no way for a process to drop a PAG o=
nce it is started within one and once you're in a PAG, tokens are then per-=
pag and not per-uid. That's why I took the hybrid approach where ssh's pam =
still creates PAGs on login (basically all of my admin occurs via ssh eithe=
r manually or via ansible).
> Someone please correct me if my assumptions or understanding are wrong!
Yes that is true! I rarely have to do AFS administration. So, I have a shel=
l script that drops me in a pagsh and acquires a token based on an in-memor=
y kerberos ticket (you have to use heimdal's kinit with -afslog option for =
that). Leaving the sub shell destroys the token. The in memory ticket turne=
d out to be even more important for not leaking the privilege into the now =
well-known ticket cache than leaking the token to other processes. Using sy=
stemd removes most of the PAG contagion headaches, as one rarely starts any=
service directly but via systemctl, which merely communicates to systemd, =
which starts the services under its own process context.