Well, obviously, if you want to be able to run pagsh without
tokens, you can't have it permitted only to system:authuser.
That would seem to be mostly a question of what you want to do.
If bin is permitted to system:anyuser, just putting pagsh there
makes the most sense to me. Machine acl's might also be a solution,
if you're really worried about people making off with your binaries.
You could also just install it on the local disk of machines you plan
to use this utility from, if you really want to tighten permissions down.
So far as the the login shell/sh/csh hierarchy goes, that's
not a huge problem either. I find it simplest to just say
"exec csh" at the /bin/sh prompt, which tells sh to just
exec csh without forking. If you want something
simplier, you might try this C-shell alias:
alias pagcsh "pagsh -c 'exec csh'"
-Marcus Watts
UM ITD RS Umich Systems Group
