[OpenAFS-devel] Joinable PAG's

[Nathan Neulinger]

> >If that capability is objectionable (most people didn't even
> >realize it was possible currently, and at that, only for
> >root/suid=0 procs)
> 
> I expect there was supposed to be more said on that last
> paragraph...

Yeah, meant to say: ... then leave that out, one of us can always add
that capability later with an add-on kernel module if necessary.

> I'm one of the people who didn't know that openafs had any
> support for joinable PAGs.  I mean, it was was obviously
> possible to do at some technical level, for someone who was
> root and who could do some low-level programming, but not
> that there was some more visible user-interface for it.
> 
> I know there are situations where joinable PAGs might be
> useful, but I wouldn't want it to open any subtle security
> holes.  So, how can a process join an already-existing PAG,
> and what authentication/authorization steps are there?

Determine what the pag number you want to join is. Represented as two
16bit group numbers. Type 'id' at the prompt, and you'll see something
like:

uid=0(root) gid=0(root) groups=34235,44399,0(root),7567(dba)

Once you have those two group numbers (34235,44399), just do a
setgroups() system call in any process (as root) and put those two
groups at the beginning of the supplementary group list. At that point,
you'll be in that pag.

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216