On 10/12/2025 2:28 AM, Dirk Heinrichs wrote:
Christian:However, I am somewhat surprised (or maybe it is just a lack of understanding of sudo on my end) that if I log in as a user, and issue sudo -i, root still has tokensThis is exactly because of nopag.
If 'root' inherits the tokens of the user that executed 'sudo', then something is broken.
[jaltman@host]$ tokens
Tokens held by the Cache Manager:
Rxgk tokens for your-file-system.com [Expires Oct 13 13:46]
User's (AFS ID 101) rxkad tokens for your-file-system.com [Expires Oct 13
13:46]
--End of list--
[jaltman@hhost]$ sudo -i
[sudo] password for jaltman:
[root@host]# tokens
Tokens held by the Cache Manager:
--End of list--
When "nopag" is specified, the PAG id associated with the stored tokens
is the local uid of the process executing 'aklog'. The local uid of
'root' is 0 which should not be the same of any normal user on the system.
If the user who becomes 'root' obtains tokens as 'root', they will be associated with PAG ID 0.
With an OpenAFS client on Linux its possible to list the PAGs for which tokens have been obtained.
cat /proc/fs/openafs/unixusersIf there are tokens assigned to UID/PAG 0, then those are the ones which will be active when any user executes 'sudo -i'.
Becoming 'root' via sudo is one of the cases where you do want a PAG to be acquired. Do you have a "session required pam_afs_session.so" rule specified in each of the /etc/pam.d/sudo* configuration files?
Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
