NAME

pagsh - Creates a new PAG [UNIX only but not OSX]

SYNOPSIS

pagsh

DESCRIPTION

The pagsh command creates a new command shell (owned by the issuer of the command) and associates a new process authentication group (PAG) with the shell and the user. A PAG is a unique identifier that permits the Cache Manager to associate a process with a set of authentication tokens.

Any tokens acquired after PAG creation become associated with the PAG rather than with the user's local UID. Each process inherits the PAG (if any) of the process that spawned it. As such, a PAG associates a set of tokens with a group of processes.

This method for distinguishing authentication credentials has two advantages:

CAUTIONS

Process Authentication Groups are implemented in an operating system specific manner. On some operating systems the ability to associate PAGs with processes is limited by local resources. If insufficient resources are available, the pagsh command fails. This is not a problem with most operating systems.

On systems that do not use PAM-modules to acquire tokens, use the pagsh command to obtain a PAG before issuing the aklog command. If a PAG is not acquired, the Cache Manager associates the token with the local UID rather than PAG. This creates the potential security exposure described in "DESCRIPTION".

EXAMPLES

In the following example, the issuer invokes the C shell instead of the default Bourne shell:

   # pagsh -c /bin/csh

PRIVILEGE REQUIRED

None

SEE ALSO

aklog(1), tokens(1)

COPYRIGHT

IBM Corporation 2000. http://www.ibm.com/ All Rights Reserved.

This documentation is covered by the IBM Public License Version 1.0. It was converted from HTML to POD by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.

ACKNOWLEDGEMENTS

"AFS" is a registered mark of International Business Machines Corporation, used under license. (USPTO Registration 1598389)

"OpenAFS" is a registered mark of International Business Machines Corporation. (USPTO Registration 4577045)

The "AuriStor" name, log 'S' brand mark, and icon are registered marks of AuriStor, Inc. (USPTO Registrations 4849419, 4849421, and 4928460) (EUIPO Registration 015539653).

"Your File System" is a registered mark of AuriStor, Inc. (USPTO Registrations 4801402 and 4849418).

"YFS" and "AuriStor File System" are trademarks of AuriStor, Inc.