Overview of AFS PAGS

    The AFS client has a notion of Process Authentication Group (PAG)
    such that processes are grouped by login session and sub-session.

    AFS associates Kerberos credentials with these process groups, such
    that when a process accesses a file stored in a remote AFS server
    the client finds the correct Kerberos user credentials to used via
    the PAG that the process belongs to.  PAGs have ID numbers, much
    like traditional Unix process group IDs.

    On some operating systems there is native support for PAGs.  On
    Solaris the OpenAFS client emulates PAGs by "borrowing" special GID
    values and two supplementary groups to encode a PAG ID.

    The key semantics of PAGs are as follows: a) PAG membership
    information is available in every context where a cred_t is
    available, b) once set a process' PAG membership is inherited by its
    progeny until _explicitly_ changed.

    The traditional AFS interfaces to PAGs are:

     - a setpag(2) that takes one argument indicating whether to apply
       the change to the parent process (and/or, in some variants, takes
       an optional argument naming a PAG to join), joins the process to
       a new PAG, and returns the new PAG ID.

     - aklog(1), a utility that has an option (-setpag) to change the
       parent process to a new PAG.  aklog(1) acquires credentials for
       AFS cells and associates them with the caller's PAG (or the new
       PAG, if -setpag is used).

     - pagsh(1), a utility that starts a new $SHELL in a process in its
       own PAG.

    One problem with PAGs is that PAG IDs are typically 32-bit, and
    suffer from the potential to roll over, which complicates the task
    of new PAG ID allocation.

    Another is that each process can be a member of at most a single PAG
    (although AIX appears to allow multiple PAG memberships, with each
    membership named by a small integer).


REFERENCES
----------

    http://www.cs.cmu.edu/~help/afs/cache_manager.html
    http://www.kapet.de/kb/krb_afs_batch/
    http://www.openafs.org/pages/manpages/
    http://www.openafs.org/pages/manpages/1/pagsh.html
    http://www.openafs.org/pages/manpages/1/aklog.html
    http://www.mpa-garching.mpg.de/~nog/doc//AFS/Utils.html
    http://www.fnal.gov/docs/strongauth/kerbcommands.html
    http://www.coda.cs.cmu.edu/maillists/codalist/codalist-1998/0223.html
    http://lkml.indiana.edu/hypermail/linux/kernel/9802.2/0287.html
    http://www.ornl.gov/~jar/dfs-afs.html
    http://www.watson.org/fbsd-hardening/tokens/fbsd-tokens-0.2/docs/proposal.txt
    http://lwn.net/Articles/236437/
    http://www.ornl.gov/~jar/dfs-afs.html