[OpenAFS] keyring issues

Alexander Bergolth leo@strike.wu-wien.ac.at
Tue, 24 Oct 2006 10:56:55 +0200 

Hi'

I've noticed several differences concerning PAGs between the last
openafs-versions and 1.4.2 on linux 2.6 with keyring support and I
haven't found much information about the implementation, so I'd
appreciate if someone could shed some light on it:

*) How do the setgroups() hooks and keyring support play together? What
happens if both the system call table had been found and is writeable
and keyring support is enabled?

*) I've noticed that even if setgroups() twisting is disabled, an
openafs client with keyring support will still use two groups to
identify the PAG. How are those two groups are connected to the keyring
found in /proc/keys? Are there any debugging tools for the interaction
of tokens, groups and keyrings? And is there any information on if and
how the keyrings are transported across forks and user-id changes?

*) I've noticed that with openafs 1.4.2 with keyring support enabled,
doing an "su" will keep the token but returning from the root shell will
discard the token (see below). Previous (setgroups() based)
implementations didn't show this behavior. What's the reason for this
and how can I revert to the old style?

-------------------- 8< --------------------
$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 5020) tokens for afs@wu-wien.ac.at [Expires Oct 22 22:37]
   --End of list--
$ cat /proc/keys
1ec3214c I--Q--     2 perm 1f3f0000  5020    -1 keyring   _uid.5020: empty
2ca04b78 I--Q--     1 perm 1f3f0000  5020    -1 keyring   _uid_ses.5020: 1/4
$ id -G
3000 33769 46409 6 10 500 501 502 33769 46408
$ su
# tokens

Tokens held by the Cache Manager:

User's (AFS ID 5020) tokens for afs@wu-wien.ac.at [Expires Oct 22 22:37]
   --End of list--
# id -G
0 33769 46409 1 2 3 4 6 10
# exit
$ tokens

Tokens held by the Cache Manager:

   --End of list--
$ cat /proc/keys
1ec3214c I--Q--     2 perm 1f3f0000  5020    -1 keyring   _uid.5020: empty
2ca04b78 I--Q--     1 perm 1f3f0000  5020    -1 keyring   _uid_ses.5020: 1/4
$ id -G
3000 33769 46409 6 10 500 501 502 33769 46408
-------------------- 8< --------------------

Thanks in advance,
cheers,
--leo
-- 
-----------------------------------------------------------------------
Alexander.Bergolth@wu-wien.ac.at                Fax: +43-1-31336-906050
Zentrum fuer Informatikdienste - Wirtschaftsuniversitaet Wien - Austria