Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   26626 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

PAGSH(1)		     AFS Command Reference		      PAGSH(1)

NAME
       pagsh, pagsh.krb - Creates a new PAG

SYNOPSIS
       pagsh

       pagsh.krb

DESCRIPTION
       The pagsh command creates a new command shell (owned by the issuer of
       the command) and associates a new process authentication group (PAG)
       with the shell and the user. A PAG is a number guaranteed to identify
       the issuer of commands in the new shell uniquely to the local Cache
       Manager. The PAG is used, instead of the issuer's UNIX UID, to identify
       the issuer in the credential structure that the Cache Manager creates
       to track each user.

       Any tokens acquired subsequently (presumably for other cells) become
       associated with the PAG, rather than with the user's UNIX UID.  This
       method for distinguishing users has two advantages:

       · It means that processes spawned by the user inherit the PAG and so
	 share the token; thus they gain access to AFS as the authenticated
	 user.	In many environments, for example, printer and other daemons
	 run under identities (such as the local superuser "root") that the
	 AFS server processes recognize only as "anonymous". Unless PAGs are
	 used, such daemons cannot access files in directories whose access
	 control lists (ACLs) do not extend permissions to the system:anyuser
	 group.

       · It closes a potential security loophole: UNIX allows anyone already
	 logged in as the local superuser "root" on a machine to assume any
	 other identity by issuing the UNIX su command. If the credential
	 structure is identified by a UNIX UID rather than a PAG, then the
	 local superuser "root" can assume a UNIX UID and use any tokens
	 associated with that UID. Use of a PAG as an identifier eliminates
	 that possibility.

       The (mostly obsolete) pagsh.krb command is the same as pagsh except
       that it also sets the KRBTKFILE environment variable, which controls
       the default Kerberos v4 ticket cache, to /tmp/tktpX where X is the
       number of the user's PAG.  This is only useful for AFS cells still
       using Kerberos v4 outside of AFS and has no effect for cells using
       Kerberos v5 and aklog or klog.krb5.

CAUTIONS
       Each PAG created uses two of the memory slots that the kernel uses to
       record the UNIX groups associated with a user. If none of these slots
       are available, the pagsh command fails. This is not a problem with most
       operating systems, which make at least 16 slots available per user.

       In cells that do not use an AFS-modified login utility, use this
       command to obtain a PAG before issuing the klog command (or include the
       -setpag argument to the klog command). If a PAG is not acquired, the
       Cache Manager stores the token in a credential structure identified by
       local UID rather than PAG. This creates the potential security exposure
       described in DESCRIPTION.

       If users of NFS client machines for which AFS is supported are to issue
       this command as part of authenticating with AFS, do not use the fs
       exportafs command's -uidcheck on argument to enable UID checking on
       NFS/AFS Translator machines. Enabling UID checking prevents this
       command from succeeding. See klog(1).

       If UID checking is not enabled on Translator machines, then by default
       it is possible to issue this command on a properly configured NFS
       client machine that is accessing AFS via the NFS/AFS Translator,
       assuming that the NFS client machine is a supported system type. The
       pagsh binary accessed by the NFS client must be owned by, and grant
       setuid privilege to, the local superuser "root". The complete set of
       mode bits must be "-rwsr-xr-x". This is not a requirement when the
       command is issued on AFS client machines.

       However, if the translator machine's administrator has enabled UID
       checking by including the -uidcheck on argument to the fs exportafs
       command, the command fails with an error message similar to the
       following:

	  Warning: Remote setpag to <translator_machine> has failed (err=8). . .
	  setpag: Exec format error

EXAMPLES
       In the following example, the issuer invokes the C shell instead of the
       default Bourne shell:

	  # pagsh -c /bin/csh

PRIVILEGE REQUIRED
       None

SEE ALSO
       aklog(1), fs_exportafs(1), klog(1), tokens(1)

COPYRIGHT
       IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

       This documentation is covered by the IBM Public License Version 1.0.
       It was converted from HTML to POD by software written by Chas Williams
       and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.

OpenAFS				  2013-10-09			      PAGSH(1)

Vote for polarhome