newaid(1)
NAME
newaid - Run processes with different sfsagents
SYNOPSIS
newaid [-l] [-{u|U} uid] [-G | -g gid] [-C dir] [program
arg ...]
DESCRIPTION
- The newaid command allows root-owned processes to access
- SFS file systems using the sfsagent of a non-root user. Addi
- tionally, if a system is configured to allow this, newaid permits
- non-root users to run multiple sfsagent processes, so that dif
- ferent processes owned by that user access the SFS file system
- with different agents. (When used in The latter mode, newaid is
- similar in function to the AFS program pagsh.)
- SFS maps file system requests to particular sfsagent pro
- cesses using the notion of agent ID, or aid. Every process has a
- 64-bit aid associated with it. Ordinarily, a process's aid is
- simply its 32-bit user ID. Thus, when a user runs sfsagent, both
- the agent and all of the users' processes have the same aid.
- To allow different processes owned by the same user to
- have different agents, a system administrator can reserve a range
- of group IDs for the purpose of flagging different aids. See the
- ResvGids directive described in the sfs_config man page for a de
- scription of how to do this. (Note that after changing ResvGids,
- you must kill and restart sfscd for things to work properly.) If
- the range of reserved group IDs is min...max, and the first ele
- ment of a process's grouplist, g0, is at least min and not more
- than max, then a process's aid is computed as ((g0 - min + 1) <<
- 32) | uid). The newaid command therefore lets people insert any
- of the reserved group IDs at the start of a process's group list.
- For root-owned processes, it is also possible for process
- es to be associated with a non-root agent. In this case, the re
- served sfs-group (as a marker) and target user's uid are actually
- placed in the process's grouplist, as well as any reserved group
- ID to select amongst multiple agents of the same user.
- After making appropriate changes to its user ID and/or
- grouplists, newaid executes the program specified on the command
- line. If no program is specified, the program specified by the
- environment variable SHELL is used by default.
OPTIONS
- -l Run the command as a login shell. This argument sim
- ply prepends a - character to argv[0] when executing program.
- Command shells interpret this to mean that they are being being
- run as login shells, and usually exhibit slightly different be
- havior. (For example csh will execute the commands in a user's
- .login file.)
- -u uid
- For root-owned process, specifies that the program
- should be run as root, but should be associated with the non-root
- agent of user uid.
- -U uid
- When newaid is invoked by a root-owned processes, this
- option sets the real uid to uid to run program, instead of run
- ning it with uid 0. This is in itself is not sufficient to
- ``drop privileges.'' In particular, newaid still does not make
- any changes to the process gid or grouplist, beyond manipulating
- aid-specific groups. Since many root-owned processes also have
- privileged groups in their grouplist, it is in general insecure
- to use -U unless you set both the gid and the whole grouplist to
- something sensible (i.e., appropriately unprivileged) before in
- voking newaid.
- This option is mostly of use for login-like programs
- that wish to create a session with a new aid, and do not wish to
- make the setuid system call themselves. As an example, the rexd
- daemon has the server's private key, yet must spawn the proxy
- program as an unprivileged user. If it dropped privileges before
- executing proxy, unprivileged users could send it signals, risk
- ing core dumps. Moreover, attackers might be able to exploit
- weaknesses in the operating system's ptrace system call or /proc
- file system to learn the private key. rexd therefore runs proxy
- through newaid, giving it the -U option.
- -g gid
-G By default newaid simply picks the first aid under - which no agent is yet running. The -g option explicitly speci
- fies that gid should be added to the start of the process's group
- list (and any previous reserved gid should be removed). -G says
- to remove any reserved gid, so that the aid of the resulting pro
- cess will just be the user's uid.
- -C dir
- Changes directory to dir before running program.
SEE ALSO
- dirsearch(1), rex(1), sfsagent(1), sfskey(1), ssu(1),
- sfs_config(5), sfs_hosts(5), sfs_srp_params(5), sfs_users(5),
- sfsauthd_config(5), sfscd_config(5), sfsrosd_config(5),
- sfsrwsd_config(5), sfssd_config(5), sfs_environ(7), funmount(8),
- nfsmounter(8), sfsauthd(8), sfscd(8), sfsrosd(8), sfsrwcd(8),
- sfsrwsd(8), sfssd(8), vidb(8)
- The full documentation for SFS is maintained as a Texinfo
- manual. If the info and SFS programs are properly installed at
- your site, the command info SFS should give you access to the
- complete manual.
- For updates, documentation, and software distribution,
- please see the SFS website at http://www.fs.net/.
AUTHOR
- sfsdev@redlab.lcs.mit.edu
- SFS 0.8pre 2006-07-20