[OpenAFS-devel] Nothing but the PAG

[Jan Harkes]

On Thu, May 15, 2003 at 07:59:28PM -0500, Nathan Neulinger wrote:
> Does that in turn handle keeping the pag the same on subsequent
> fork/exec/setsid/etc. cycles until another newpag() is called?

Yes, and it even associates the pag with the file handle. So if I open a
file in one pag and pass it to a process in another pag the file remains
accessible, assuming the filesystem actually uses file->f_pag instead of
current->pag.

> I like this, it also makes it trivial to add a module later on that can
> get in there and do a setpag() if that is ever needed without having to
> have that be in the patch.

In reality, a pag is used to work around a bunch of solvable problems,

- To make sure that an application that uses setuid doesn't lose it's
  original credentials. Why not just remove the setuid calls.
- To provide a 'private' session to do administrative stuff. How about
  creating a new local login, <user>-admin and simply use 'su
  user-admin' before getting the admin tokens.
- To prevent a local daemon that is started by the user from accessing
  his private files. Again, new local userid and done.

So yes, I'm assuming that the user has administrative rights on his
machine, but the whole point of the AFS design was that clients were
untrusted in the first place.

Jan