[OpenAFS] unpagsh fails with recent glibc

[Jeffrey Hutzelman]

On Wednesday, March 09, 2005 11:10:00 +0000 Dr A V Le Blanc 
<LeBlanc@mcc.ac.uk> wrote:

> I asked about the failure of 'unpagsh' under kernels 2.6.x, and
> Jeffrey Hutzelman replied:
>
> On Tue, Mar 08, 2005 at 11:01:35AM -0500, Jeffrey Hutzelman wrote:
>> That's not surprising.  unpagsh is not my code, but I did take a quick
>> look  at it when you posted your first message.  It works by overflowing
>> the  fixed-size group list maintained by the kernel with "real" groups,
>> leaving  no room for the groups added by AFS to represent the PAG.  In
>> Linux 2.6,  the list of groups associated with a process is not a
>> fixed-size array; it  is dynamic, and our setgroups wrapper always grows
>> the list to make room  for the PAG groups.  So you can't get rid of them
>> by overflowing the array.
>>
>> Making this work would require a change to the OpenAFS kernel code.
>
> Isn't there a way -- not necessarily specifically using OpenAFS kernel
> features -- to get rid of a group without doing something dodgy?
> One can assume, for my purposes, that one is root and so on.
> As far as I can see, there are standard ways only to add a group
> to a process, not to get rid of it.  It would be adequate if one could
> create a new process with the AFS groups left out...  I don't see how
> to do such a thing using existing library functions.


You can use setgroups() to _replace_ the set of groups a process has; after 
a call to setgroups, the process has only the groups you specified. 
However, AFS traps setgroups and takes special steps to insure that the 
groups representing a PAG are preserved across the setgroups call, even if 
they're not included in the list you specify.

So, there is a standard way to remove groups, but it doesn't work for our 
"special" groups, which is why unpagsh uses the overflow hack.

-- Jeff