EnglishFrenchSpanish

OnWorks favicon

pagsh.openafs - Online in the Cloud

Run pagsh.openafs in OnWorks free hosting provider over Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

This is the command pagsh.openafs that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

PROGRAM:

NAME


pagsh, pagsh.krb - Creates a new PAG

SYNOPSIS


pagsh

pagsh.krb

DESCRIPTION


The pagsh command creates a new command shell (owned by the issuer of the command) and
associates a new process authentication group (PAG) with the shell and the user. A PAG is
a number guaranteed to identify the issuer of commands in the new shell uniquely to the
local Cache Manager. The PAG is used, instead of the issuer's UNIX UID, to identify the
issuer in the credential structure that the Cache Manager creates to track each user.

Any tokens acquired subsequently (presumably for other cells) become associated with the
PAG, rather than with the user's UNIX UID. This method for distinguishing users has two
advantages:

· It means that processes spawned by the user inherit the PAG and so share the token; thus
they gain access to AFS as the authenticated user. In many environments, for example,
printer and other daemons run under identities (such as the local superuser "root") that
the AFS server processes recognize only as "anonymous". Unless PAGs are used, such
daemons cannot access files in directories whose access control lists (ACLs) do not
extend permissions to the system:anyuser group.

· It closes a potential security loophole: UNIX allows anyone already logged in as the
local superuser "root" on a machine to assume any other identity by issuing the UNIX su
command. If the credential structure is identified by a UNIX UID rather than a PAG, then
the local superuser "root" can assume a UNIX UID and use any tokens associated with that
UID. Use of a PAG as an identifier eliminates that possibility.

The (mostly obsolete) pagsh.krb command is the same as pagsh except that it also sets the
KRBTKFILE environment variable, which controls the default Kerberos v4 ticket cache, to
/tmp/tktpX where X is the number of the user's PAG. This is only useful for AFS cells
still using Kerberos v4 outside of AFS and has no effect for cells using Kerberos v5 and
aklog or klog.krb5.

CAUTIONS


Each PAG created uses two of the memory slots that the kernel uses to record the UNIX
groups associated with a user. If none of these slots are available, the pagsh command
fails. This is not a problem with most operating systems, which make at least 16 slots
available per user.

In cells that do not use an AFS-modified login utility, use this command to obtain a PAG
before issuing the klog command (or include the -setpag argument to the klog command). If
a PAG is not acquired, the Cache Manager stores the token in a credential structure
identified by local UID rather than PAG. This creates the potential security exposure
described in DESCRIPTION.

If users of NFS client machines for which AFS is supported are to issue this command as
part of authenticating with AFS, do not use the fs exportafs command's -uidcheck on
argument to enable UID checking on NFS/AFS Translator machines. Enabling UID checking
prevents this command from succeeding. See klog(1).

If UID checking is not enabled on Translator machines, then by default it is possible to
issue this command on a properly configured NFS client machine that is accessing AFS via
the NFS/AFS Translator, assuming that the NFS client machine is a supported system type.
The pagsh binary accessed by the NFS client must be owned by, and grant setuid privilege
to, the local superuser "root". The complete set of mode bits must be "-rwsr-xr-x". This
is not a requirement when the command is issued on AFS client machines.

However, if the translator machine's administrator has enabled UID checking by including
the -uidcheck on argument to the fs exportafs command, the command fails with an error
message similar to the following:

Warning: Remote setpag to <translator_machine> has failed (err=8). . .
setpag: Exec format error

EXAMPLES


In the following example, the issuer invokes the C shell instead of the default Bourne
shell:

# pagsh -c /bin/csh

PRIVILEGE REQUIRED


None

Use pagsh.openafs online using onworks.net services


Free Servers & Workstations

Download Windows & Linux apps

  • 1
    formkiq-core
    formkiq-core
    FormKiQ Core is an Open Source Document
    Management System (DMS), available to
    run as a headless software or with a
    web-based client, deployed to your
    Amazon We...
    Download formkiq-core
  • 2
    Blackfriday
    Blackfriday
    Blackfriday is a Markdown processor
    implemented in Go. It is paranoid about
    its input (so you can safely feed it
    user-supplied data), it is fast, it
    supports c...
    Download Blackfriday
  • 3
    QNAP NAS GPL Source
    QNAP NAS GPL Source
    GPL source for QNAP Turbo NAS.
    Audience: Developers. User interface:
    Web-based. Programming Language: C,
    Java. Categories:System, Storage,
    Operating System Ker...
    Download QNAP NAS GPL Source
  • 4
    deep-clean
    deep-clean
    A Kotlin script that nukes all build
    caches from Gradle/Android projects.
    Useful when Gradle or the IDE let you
    down. The script has been tested on
    macOS, but ...
    Download deep-clean
  • 5
    Eclipse Checkstyle Plug-in
    Eclipse Checkstyle Plug-in
    The Eclipse Checkstyle plug-in
    integrates the Checkstyle Java code
    auditor into the Eclipse IDE. The
    plug-in provides real-time feedback to
    the user about viol...
    Download Eclipse Checkstyle Plug-in
  • 6
    AstrOrzPlayer
    AstrOrzPlayer
    AstrOrz Player is a free media player
    software, part based on WMP and VLC. The
    player is in a minimalist style, with
    more than ten theme colors, and can also
    b...
    Download AstrOrzPlayer
  • More »

Linux commands

  • 1
    a2query
    a2query
    a2query - retrieve runtime
    configuration from a local Apache 2 HTTP
    server ...
    Run a2query
  • 2
    a2x
    a2x
    a2x - A toolchain manager for AsciiDoc
    (converts Asciidoc text files to other
    file formats) ...
    Run a2x
  • 3
    cooktime
    cooktime
    cooktime - set file times ...
    Run cooktime
  • 4
    cook_bom
    cook_bom
    cook_bom - bill of materials ...
    Run cook_bom
  • 5
    gbackground
    gbackground
    gbackground - interval-based gnome
    background changer SYNTAX: gbackground
    DESCRIPTION: This program allows to
    change periodically the gnome background
    in inter...
    Run gbackground
  • 6
    gbacorr
    gbacorr
    gbacorr - Compute
    auto/cross-correlation coefficients ...
    Run gbacorr
  • More »

Ad