newaid - Run processes with different sfsagents

newaid [-l] [-{u|U} uid] [-G | -g gid] [-C dir] [program arg ...]

The newaid command allows root-owned processes to access SFS file systems using the sfsagent of a non-root user. Additionally, if a system is configured to allow this, newaid permits non-root users to run multiple sfsagent processes, so that different processes owned by that user access the SFS file system with different agents. (When used in The latter mode, newaid is similar in function to the AFS program pagsh.)

SFS maps file system requests to particular sfsagent processes using the notion of agent ID, or aid. Every process has a 64-bit aid associated with it. Ordinarily, a process's aid is simply its 32-bit user ID. Thus, when a user runs sfsagent, both the agent and all of the users' processes have the same aid.

To allow different processes owned by the same user to have different agents, a system administrator can reserve a range of group IDs for the purpose of flagging different aids. See the ResvGids directive described in the sfs_config man page for a description of how to do this. (Note that after changing ResvGids, you must kill and restart sfscd for things to work properly.) If the range of reserved group IDs is min...max, and the first element of a process's grouplist, g0, is at least min and not more than max, then a process's aid is computed as ((g0 - min + 1) << 32) | uid). The newaid command therefore lets people insert any of the reserved group IDs at the start of a process's group list.

For root-owned processes, it is also possible for processes to be associated with a non-root agent. In this case, the reserved sfs-group (as a marker) and target user's uid are actually placed in the process's grouplist, as well as any reserved group ID to select amongst multiple agents of the same user.

After making appropriate changes to its user ID and/or grouplists, newaid executes the program specified on the command line. If no program is specified, the program specified by the environment variable SHELL is used by default.

-l

Run the command as a login shell. This argument simply prepends a - character to argv[0] when executing program. Command shells interpret this to mean that they are being being run as login shells, and usually exhibit slightly different behavior. (For example csh will execute the commands in a user's .login file.)

-u uid

For root-owned process, specifies that the program should be run as root, but should be associated with the non-root agent of user uid.

-U uid

When newaid is invoked by a root-owned processes, this option sets the real uid to uid to run program, instead of running it with uid 0. This is in itself is not sufficient to ``drop privileges.'' In particular, newaid still does not make any changes to the process gid or grouplist, beyond manipulating aid-specific groups. Since many root-owned processes also have privileged groups in their grouplist, it is in general insecure to use -U unless you set both the gid and the whole grouplist to something sensible (i.e., appropriately unprivileged) before invoking newaid. This option is mostly of use for login-like programs that wish to create a session with a new aid, and do not wish to make the setuid system call themselves. As an example, the rexd daemon has the server's private key, yet must spawn the proxy program as an unprivileged user. If it dropped privileges before executing proxy, unprivileged users could send it signals, risking core dumps. Moreover, attackers might be able to exploit weaknesses in the operating system's ptrace system call or /proc file system to learn the private key. rexd therefore runs proxy through newaid, giving it the -U option.

-g gid

-G

By default newaid simply picks the first aid under which no agent is yet running. The -g option explicitly specifies that gid should be added to the start of the process's group list (and any previous reserved gid should be removed). -G says to remove any reserved gid, so that the aid of the resulting process will just be the user's uid.

-C dir

Changes directory to dir before running program.

dirsearch(1), rex(1), sfsagent(1), sfskey(1), ssu(1), sfs_config(5), sfs_hosts(5), sfs_srp_params(5), sfs_users(5), sfsauthd_config(5), sfscd_config(5), sfsrosd_config(5), sfsrwsd_config(5), sfssd_config(5), sfs_environ(7), funmount(8), nfsmounter(8), sfsauthd(8), sfscd(8), sfsrosd(8), sfsrwcd(8), sfsrwsd(8), sfssd(8), vidb(8)

The full documentation for SFS is maintained as a Texinfo manual. If the info and SFS programs are properly installed at your site, the command info SFS should give you access to the complete manual.

For updates, documentation, and software distribution, please see the SFS website at http://www.fs.net/.

sfsdev@redlab.lcs.mit.edu