In message <[email protected]>,Felix Frank writes: >Chas Williams (CONTRACTOR) wrote (Wed Jun 17 2009 13:42:11 GMT+0200 (CEST)) >> In message <[email protected]>,Dr A V Le Blanc writes: >>> I log in under gdm, which knows nothing of afs, and in a window, >>> I get a new PAG. 'keyctl show' shows that the session number for >>> the afs_pag has changed. I am also careful to have a randomised name >>> for my kerberos credentials file. In this new PAG I kinit and run aklog. >>> I now have tokens. >>> >>> I open a new window, which should not be in the same PAG, and type >>> 'tokens'. I have tokens! Somehow my PAG has got taken over by the >>> window manager, or so it appears. In the past, with group-based >>> PAGs, this could not happen. Now it seems my credentials can wander >>> out of the process and the PAG into which I tried to isolate them. >> >> how did you open a new window such that it was not in the same pag? >> unless you do something like pagsh (or fiddle with keyctl) anyone >> using the same keyring will share the same pag. aklog doesnt create >> a new pag. > >The way I understood it, the original window runs a pagsh. Tokens that >are retrieved from inside that pagsh should not be visible for any >process outside it. Correct?
when you login with gdm a new keyring should be created for all the processes associated with this login session. this is part of pam as i recall. any windows you open during this login session will be associated with this keyring unless you take special measures to escape the default keyring. _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
