Index: trunk/packages/invirt-web/code/getafsgroups.py
===================================================================
--- trunk/packages/invirt-web/code/getafsgroups.py	(revision 1942)
+++ trunk/packages/invirt-web/code/getafsgroups.py	(revision 1947)
@@ -29,5 +29,5 @@
 
 def getAfsGroupMembers(group, cell):
-    p = subprocess.Popen(["pts", "membership", "-noauth", group, '-c', cell], 
+    p = subprocess.Popen(["pts", "membership", "-encrypt", group, '-c', cell],
                          stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     err = p.stderr.read()
Index: trunk/packages/invirt-web/config.todo
===================================================================
--- trunk/packages/invirt-web/config.todo	(revision 1942)
+++ trunk/packages/invirt-web/config.todo	(revision 1947)
@@ -5,4 +5,5 @@
 files/etc/apache2/sites-available/default: assumes trac
 files/etc/init.d/apache2.invirt: afs cell (for svn)
+invirt-cache-acls: aklog athena sipb
 code/templates/error.tmpl: xvm@mit.edu
 code/templates/help.tmpl: assumes trac
Index: trunk/packages/invirt-web/debian/changelog
===================================================================
--- trunk/packages/invirt-web/debian/changelog	(revision 1942)
+++ trunk/packages/invirt-web/debian/changelog	(revision 1947)
@@ -1,8 +1,11 @@
 invirt-web (0.0.16) unstable; urgency=low
+
+  * Fix a security vulnerability: traditional `pts mem` is in cleartext
+    and could be spoofed.  Use new -encrypt option, which needs tokens.
 
   * make initscript stop command not leave apache2 processes lying around
     (so that restart works)
 
- -- Greg Price <price@mit.edu>  Fri, 19 Dec 2008 22:34:31 -0500
+ -- Greg Price <price@mit.edu>  Tue, 30 Dec 2008 17:31:48 -0500
 
 invirt-web (0.0.15) unstable; urgency=low
Index: trunk/packages/invirt-web/debian/invirt-web.cron.d
===================================================================
--- trunk/packages/invirt-web/debian/invirt-web.cron.d	(revision 1942)
+++ trunk/packages/invirt-web/debian/invirt-web.cron.d	(revision 1947)
@@ -6,3 +6,3 @@
 MAILTO=root
 
-*/5 * * * * www-data python /var/www/invirt-web/cache_acls.py
+*/5 * * * * www-data invirt-cache-acls
Index: trunk/packages/invirt-web/debian/invirt-web.install
===================================================================
--- trunk/packages/invirt-web/debian/invirt-web.install	(revision 1942)
+++ trunk/packages/invirt-web/debian/invirt-web.install	(revision 1947)
@@ -1,1 +1,2 @@
 files/* .
+invirt-cache-acls /usr/bin/
Index: trunk/packages/invirt-web/invirt-cache-acls
===================================================================
--- trunk/packages/invirt-web/invirt-cache-acls	(revision 1947)
+++ trunk/packages/invirt-web/invirt-cache-acls	(revision 1947)
@@ -0,0 +1,4 @@
+#!/bin/sh
+kinit -k -t /etc/invirt/keytab daemon/$(hostname -f)
+aklog athena sipb
+python /var/www/invirt-web/cache_acls.py