Does anyone out there know how to correctly use pagsh?
To begin with, the AFS Installation Guide instructs in 2.28.1, Step 2 on
page 2-65 to set the ACL for system:anyuser to none for
/afs/<cell>/@sys/usr/afsws/* and then reset the ACL for system:anyuser to
rl on ./bin, only.
That leaves pagsh in ../etc with the ACL for system:anyuser set to none,
making it impossible for anyone to use it, except system:authuser. Thus,
one must first klog in, before using pagsh.
Then the AFS System Administrator's Guide states in 2.9.8 on page 2-37 to
include the following commands in .login to create a PAG and authenticate
the user with AFS:
pagsh
echo -n "klog "
klog
And finally, in the AFS User's Guide on page A-48, the pagsh "man" page
finally states that pagsh creates a new command shell. It doesn't state
that it creates a Bourne shell, whether you like it or not. To get to a C
shell, you have to run csh after the pagsh.
All this leaves you with a C shell, child of a Bourne shell (pagsh), child
of your .login.
----------
| .login |
|--------| ----------
| pagsh |--->| sh |
| echo ..|<-+ |--------| ---------
| klog | | | csh |--->| csh |
| cmds ..| +-| exit |<-+ |-------|
| . | ---------- | | cmds |
| . | | | . |
| . | | | . |
---------- | | . |
+-| exit |
---------
Now, the problems with this approach is, first of all the pagsh won't work,
because you have to klog, first. That's because of the ACL setup on the
./etc directory. Secondly, because of the UNIX shell hierarchy, all
instructions following the pagsh instruction in your .login would be
ignored (if the pagsh did work) until you exit the pagsh Bourne shell
(after you exit the C shell, if you are using it, too). So the echo and
klog are a bit belated.
You cannot set the ACL on pagsh to system:anyuser rl, since AFS only sets
ACLs on directories; and the other files in ./etc must be protected. So,
how about moving pagsh from ./etc to ./bin? Would that create other
difficulties? That move still won't solve the second problem of UNIX
shells; however.
Has anyone found a way out of this "Catch 22"?
Also, there seems to be an undocumented fact that the PAG number can be
viewed the the UNIX command "groups" which displays all of the groups that
the user is a member of. The PAG numbers are listed, first. Normally,
groups displays the UNIX groups listed in /etc/groups. Here we see AFS
uses it to display PAG as well; thus, at last, we see the full meaning of
"PAG: process authentication group". It IS a group. (Now I wonder if
"groups" will also display AFS group memberships defined in ACLs. Is THIS
documented, anywhere?)
Don Doering
Don Doering
