pagsh - Creates a new PAG [UNIX only but not OSX]
The pagsh command creates a new command shell (owned by the issuer of the command) and associates a new process authentication group (PAG) with the shell and the user. A PAG is a unique identifier that permits the Cache Manager to associate a process with a set of authentication tokens.
Any tokens acquired after PAG creation become associated with the PAG rather than with the user's local UID. Each process inherits the PAG (if any) of the process that spawned it. As such, a PAG associates a set of tokens with a group of processes.
This method for distinguishing authentication credentials has two advantages:
It means that processes with an associated PAG can access /afs as an authenticated user.
In many environments,
printer and other daemons run under UIDs (such as the local superuser
root) that would not otherwise be associated with authentication tokens.
Without tokens the cell's File Servers and Location Servers would identify their requests as being issued by
Unless PAGs are used and tokens are acquired,
such daemons cannot access files in directories whose access control lists (ACLs) do not extend permissions to the system:anyuser group.
It closes a potential security loophole: UNIX allows anyone already logged in as the local superuser
root on a machine to assume any other identity by issuing the UNIX su command.
If a process has no assigned PAG,
then the Cache Manager selects authentication tokens based upon the process' effective local UID.
This permits the local superuser
root to use any tokens associated with any local UID active on the system.
The use of PAGs eliminates that possibility.
Process Authentication Groups are implemented in an operating system specific manner. On some operating systems the ability to associate PAGs with processes is limited by local resources. If insufficient resources are available, the pagsh command fails. This is not a problem with most operating systems.
On systems that do not use PAM-modules to acquire tokens, use the pagsh command to obtain a PAG before issuing the aklog command. If a PAG is not acquired, the Cache Manager associates the token with the local UID rather than PAG. This creates the potential security exposure described in "DESCRIPTION".
In the following example, the issuer invokes the C shell instead of the default Bourne shell:
# pagsh -c /bin/csh
IBM Corporation 2000. http://www.ibm.com/ All Rights Reserved.
This documentation is covered by the IBM Public License Version 1.0. It was converted from HTML to POD by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.
"AFS" is a registered mark of International Business Machines Corporation, used under license. (USPTO Registration 1598389)
"OpenAFS" is a registered mark of International Business Machines Corporation. (USPTO Registration 4577045)
The "AuriStor" name, log 'S' brand mark, and icon are registered marks of AuriStor, Inc. (USPTO Registrations 4849419, 4849421, and 4928460) (EUIPO Registration 015539653).
"Your File System" is a registered mark of AuriStor, Inc. (USPTO Registrations 4801402 and 4849418).
"YFS" and "AuriStor File System" are trademarks of AuriStor, Inc.