[OpenAFS] pag's with new 2.6 mechanism

Alexander Boström abo@kth.se
Thu, 13 Jan 2005 16:56:56 +0100


mån 2005-01-10 klockan 23:00 -0600 skrev Ryan Underwood:

> I think I found the issue.  PAGs no longer survive a setuid() call.  As
> soon as an Apache child changes from root to www-data, it has lost its
> credentials.  Under 2.4, the credentials are still available after
> setuid so the child can access the sites on AFS.

Hmm, setuid() shouldn't clear the groups list. Perhaps setgid() (which
Apache calls) does though. Or maybe Apache calls setgroups().

Anyway... Put the tokens in the default PAG of www-data instead. That
it, don't use a PAG, just su to the www-data user and run kinit and
httpd. Then there are no PAG groups to loose. (Run the id command in the
same context to make sure.)

/abo