Provided by: openafs-client_1.6.7-1ubuntu1.1_amd64 bug

NAME

       pagsh, pagsh.krb - Creates a new PAG

SYNOPSIS

       pagsh

       pagsh.krb

DESCRIPTION

       The pagsh command creates a new command shell (owned by the issuer of the command) and
       associates a new process authentication group (PAG) with the shell and the user. A PAG is
       a number guaranteed to identify the issuer of commands in the new shell uniquely to the
       local Cache Manager. The PAG is used, instead of the issuer's UNIX UID, to identify the
       issuer in the credential structure that the Cache Manager creates to track each user.

       Any tokens acquired subsequently (presumably for other cells) become associated with the
       PAG, rather than with the user's UNIX UID.  This method for distinguishing users has two
       advantages:

       • It means that processes spawned by the user inherit the PAG and so share the token; thus
         they gain access to AFS as the authenticated user.  In many environments, for example,
         printer and other daemons run under identities (such as the local superuser "root") that
         the AFS server processes recognize only as "anonymous". Unless PAGs are used, such
         daemons cannot access files in directories whose access control lists (ACLs) do not
         extend permissions to the system:anyuser group.

       • It closes a potential security loophole: UNIX allows anyone already logged in as the
         local superuser "root" on a machine to assume any other identity by issuing the UNIX su
         command. If the credential structure is identified by a UNIX UID rather than a PAG, then
         the local superuser "root" can assume a UNIX UID and use any tokens associated with that
         UID. Use of a PAG as an identifier eliminates that possibility.

       The (mostly obsolete) pagsh.krb command is the same as pagsh except that it also sets the
       KRBTKFILE environment variable, which controls the default Kerberos v4 ticket cache, to
       /tmp/tktpX where X is the number of the user's PAG.  This is only useful for AFS cells
       still using Kerberos v4 outside of AFS and has no effect for cells using Kerberos v5 and
       aklog or klog.krb5.

CAUTIONS

       Each PAG created uses two of the memory slots that the kernel uses to record the UNIX
       groups associated with a user. If none of these slots are available, the pagsh command
       fails. This is not a problem with most operating systems, which make at least 16 slots
       available per user.

       In cells that do not use an AFS-modified login utility, use this command to obtain a PAG
       before issuing the klog command (or include the -setpag argument to the klog command). If
       a PAG is not acquired, the Cache Manager stores the token in a credential structure
       identified by local UID rather than PAG. This creates the potential security exposure
       described in DESCRIPTION.

       If users of NFS client machines for which AFS is supported are to issue this command as
       part of authenticating with AFS, do not use the fs exportafs command's -uidcheck on
       argument to enable UID checking on NFS/AFS Translator machines. Enabling UID checking
       prevents this command from succeeding. See klog(1).

       If UID checking is not enabled on Translator machines, then by default it is possible to
       issue this command on a properly configured NFS client machine that is accessing AFS via
       the NFS/AFS Translator, assuming that the NFS client machine is a supported system type.
       The pagsh binary accessed by the NFS client must be owned by, and grant setuid privilege
       to, the local superuser "root". The complete set of mode bits must be "-rwsr-xr-x". This
       is not a requirement when the command is issued on AFS client machines.

       However, if the translator machine's administrator has enabled UID checking by including
       the -uidcheck on argument to the fs exportafs command, the command fails with an error
       message similar to the following:

          Warning: Remote setpag to <translator_machine> has failed (err=8). . .
          setpag: Exec format error

EXAMPLES

       In the following example, the issuer invokes the C shell instead of the default Bourne
       shell:

          # pagsh -c /bin/csh

PRIVILEGE REQUIRED

       None

SEE ALSO

       aklog(1), fs_exportafs(1), klog(1), tokens(1)

COPYRIGHT

       IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

       This documentation is covered by the IBM Public License Version 1.0.  It was converted
       from HTML to POD by software written by Chas Williams and Russ Allbery, based on work by
       Alf Wachsmann and Elizabeth Cassell.