.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "PAGSH 1" .TH PAGSH 1 "2023-12-24" "OpenAFS" "AFS Command Reference" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" pagsh, pagsh.krb \- Creates a new PAG .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBpagsh\fR .PP \&\fBpagsh.krb\fR .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBpagsh\fR command creates a new command shell (owned by the issuer of the command) and associates a new \fIprocess authentication group\fR (\s-1PAG\s0) with the shell and the user. A \s-1PAG\s0 is a number guaranteed to identify the issuer of commands in the new shell uniquely to the local Cache Manager. The \s-1PAG\s0 is used, instead of the issuer's \s-1UNIX UID,\s0 to identify the issuer in the credential structure that the Cache Manager creates to track each user. .PP Any tokens acquired subsequently (presumably for other cells) become associated with the \s-1PAG,\s0 rather than with the user's \s-1UNIX UID.\s0 This method for distinguishing users has two advantages: .IP "\(bu" 2 It means that processes spawned by the user inherit the \s-1PAG\s0 and so share the token; thus they gain access to \s-1AFS\s0 as the authenticated user. In many environments, for example, printer and other daemons run under identities (such as the local superuser \f(CW\*(C`root\*(C'\fR) that the \s-1AFS\s0 server processes recognize only as \f(CW\*(C`anonymous\*(C'\fR. Unless PAGs are used, such daemons cannot access files in directories whose access control lists (ACLs) do not extend permissions to the system:anyuser group. .IP "\(bu" 2 It closes a potential security loophole: \s-1UNIX\s0 allows anyone already logged in as the local superuser \f(CW\*(C`root\*(C'\fR on a machine to assume any other identity by issuing the \s-1UNIX\s0 \fBsu\fR command. If the credential structure is identified by a \s-1UNIX UID\s0 rather than a \s-1PAG,\s0 then the local superuser \&\f(CW\*(C`root\*(C'\fR can assume a \s-1UNIX UID\s0 and use any tokens associated with that \&\s-1UID.\s0 Use of a \s-1PAG\s0 as an identifier eliminates that possibility. .PP The (mostly obsolete) \fBpagsh.krb\fR command is the same as \fBpagsh\fR except that it also sets the \s-1KRBTKFILE\s0 environment variable, which controls the default Kerberos v4 ticket cache, to \fI/tmp/tktp\fIX\fI\fR where \fIX\fR is the number of the user's \s-1PAG.\s0 This is only useful for \s-1AFS\s0 cells still using Kerberos v4 outside of \s-1AFS\s0 and has no effect for cells using Kerberos v5 and \fBaklog\fR or \fBklog.krb5\fR. .SH "CAUTIONS" .IX Header "CAUTIONS" Each \s-1PAG\s0 created uses two of the memory slots that the kernel uses to record the \s-1UNIX\s0 groups associated with a user. If none of these slots are available, the \fBpagsh\fR command fails. This is not a problem with most operating systems, which make at least 16 slots available per user. .PP In cells that do not use an AFS-modified login utility, use this command to obtain a \s-1PAG\s0 before issuing the \fBklog\fR command (or include the \&\fB\-setpag\fR argument to the \fBklog\fR command). If a \s-1PAG\s0 is not acquired, the Cache Manager stores the token in a credential structure identified by local \s-1UID\s0 rather than \s-1PAG.\s0 This creates the potential security exposure described in \*(L"\s-1DESCRIPTION\*(R"\s0. .PP If users of \s-1NFS\s0 client machines for which \s-1AFS\s0 is supported are to issue this command as part of authenticating with \s-1AFS,\s0 do not use the \fBfs exportafs\fR command's \fB\-uidcheck on\fR argument to enable \s-1UID\s0 checking on \&\s-1NFS/AFS\s0 Translator machines. Enabling \s-1UID\s0 checking prevents this command from succeeding. See \fBklog\fR\|(1). .PP If \s-1UID\s0 checking is not enabled on Translator machines, then by default it is possible to issue this command on a properly configured \s-1NFS\s0 client machine that is accessing \s-1AFS\s0 via the \s-1NFS/AFS\s0 Translator, assuming that the \s-1NFS\s0 client machine is a supported system type. The \fBpagsh\fR binary accessed by the \s-1NFS\s0 client must be owned by, and grant setuid privilege to, the local superuser \f(CW\*(C`root\*(C'\fR. The complete set of mode bits must be \&\f(CW\*(C`\-rwsr\-xr\-x\*(C'\fR. This is not a requirement when the command is issued on \s-1AFS\s0 client machines. .PP However, if the translator machine's administrator has enabled \s-1UID\s0 checking by including the \fB\-uidcheck on\fR argument to the \fBfs exportafs\fR command, the command fails with an error message similar to the following: .PP .Vb 2 \& Warning: Remote setpag to has failed (err=8). . . \& setpag: Exec format error .Ve .SH "EXAMPLES" .IX Header "EXAMPLES" In the following example, the issuer invokes the C shell instead of the default Bourne shell: .PP .Vb 1 \& # pagsh \-c /bin/csh .Ve .SH "PRIVILEGE REQUIRED" .IX Header "PRIVILEGE REQUIRED" None .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBaklog\fR\|(1), \&\fBfs_exportafs\fR\|(1), \&\fBklog\fR\|(1), \&\fBtokens\fR\|(1) .SH "COPYRIGHT" .IX Header "COPYRIGHT" \&\s-1IBM\s0 Corporation 2000. All Rights Reserved. .PP This documentation is covered by the \s-1IBM\s0 Public License Version 1.0. It was converted from \s-1HTML\s0 to \s-1POD\s0 by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.