Provided by: openafs-client_1.8.13.2-1ubuntu1_amd64 bug

NAME
       pagsh, pagsh.krb - Creates a new PAG


SYNOPSIS
       pagsh

       pagsh.krb


DESCRIPTION
       The pagsh command creates a new command shell (owned by the issuer of the command) and associates a new
       process authentication group (PAG) with the shell and the user. A PAG is a number guaranteed to identify
       the issuer of commands in the new shell uniquely to the local Cache Manager. The PAG is used, instead of
       the issuer's UNIX UID, to identify the issuer in the credential structure that the Cache Manager creates
       to track each user.

       Any tokens acquired subsequently (presumably for other cells) become associated with the PAG, rather than
       with the user's UNIX UID.  This method for distinguishing users has two advantages:

       • It  means  that  processes  spawned  by the user inherit the PAG and so share the token; thus they gain
         access to AFS as the authenticated user.  In many environments, for example, printer and other  daemons
         run  under identities (such as the local superuser "root") that the AFS server processes recognize only
         as "anonymous". Unless PAGs are used, such daemons cannot access  files  in  directories  whose  access
         control lists (ACLs) do not extend permissions to the system:anyuser group.

       • It  closes  a  potential security loophole: UNIX allows anyone already logged in as the local superuser
         "root" on a machine to assume any other identity by issuing the UNIX  su  command.  If  the  credential
         structure  is  identified by a UNIX UID rather than a PAG, then the local superuser "root" can assume a
         UNIX UID and use any tokens associated with that UID. Use of a PAG as  an  identifier  eliminates  that
         possibility.

       The  (mostly  obsolete)  pagsh.krb  command  is  the same as pagsh except that it also sets the KRBTKFILE
       environment variable, which controls the default Kerberos v4 ticket cache, to /tmp/tktpX where X  is  the
       number  of  the user's PAG.  This is only useful for AFS cells still using Kerberos v4 outside of AFS and
       has no effect for cells using Kerberos v5 and aklog or klog.krb5.


CAUTIONS
       Each PAG created uses two of the memory slots that the kernel uses to record the UNIX  groups  associated
       with  a  user.  If none of these slots are available, the pagsh command fails. This is not a problem with
       most operating systems, which make at least 16 slots available per user.

       In cells that do not use an AFS-modified login utility, use this command to obtain a PAG  before  issuing
       the  klog  command  (or  include the -setpag argument to the klog command). If a PAG is not acquired, the
       Cache Manager stores the token in a credential structure identified by local UID rather  than  PAG.  This
       creates the potential security exposure described in "DESCRIPTION".

       If  users  of  NFS  client  machines  for  which  AFS  is  supported are to issue this command as part of
       authenticating with AFS, do not use the fs exportafs  command's  -uidcheck  on  argument  to  enable  UID
       checking on NFS/AFS Translator machines. Enabling UID checking prevents this command from succeeding. See
       klog(1).

       If  UID  checking  is  not  enabled  on Translator machines, then by default it is possible to issue this
       command on a properly configured NFS client machine that is accessing AFS  via  the  NFS/AFS  Translator,
       assuming  that  the  NFS  client machine is a supported system type. The pagsh binary accessed by the NFS
       client must be owned by, and grant setuid privilege to, the local superuser "root". The complete  set  of
       mode  bits  must  be  "-rwsr-xr-x".  This  is  not a requirement when the command is issued on AFS client
       machines.

       However, if the translator machine's administrator has enabled UID checking by including the -uidcheck on
       argument to the fs exportafs command, the command fails with an error message similar to the following:

          Warning: Remote setpag to <translator_machine> has failed (err=8). . .
          setpag: Exec format error


EXAMPLES
       In the following example, the issuer invokes the C shell instead of the default Bourne shell:

          # pagsh -c /bin/csh


PRIVILEGE REQUIRED
       None


SEE ALSO
       aklog(1), fs_exportafs(1), klog(1), tokens(1)


COPYRIGHT
       IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

       This documentation is covered by the IBM Public License Version 1.0.  It was converted from HTML  to  POD
       by  software  written  by  Chas  Williams  and Russ Allbery, based on work by Alf Wachsmann and Elizabeth
       Cassell.

OpenAFS                                            2025-03-21                                           PAGSH(1)