[OpenAFS-devel] Joinable PAG's

Nathan Neulinger nneul@umr.edu
17 May 2003 14:59:09 -0500


I use this capability on linux systems and hpux systems to go in
periodically and scan for PAGs/Tokens in the kernel that are unused and
clean them up manually by unlogging within the unused pag.

GCPags support is supposed to do this, but I don't believe it is on by
default for linux, and a while back at least, it wasn't usable on linux.

The reason it's a problem (search the archive) is that the kernel tokens
list in afs kernel module degrades badly when it gets too large,
resulting in significant hangs frequently when you start having too many
left over tokens in kernel.

-- Nathan

On Sat, 2003-05-17 at 14:56, Nathan Neulinger wrote:
> > >If that capability is objectionable (most people didn't even
> > >realize it was possible currently, and at that, only for
> > >root/suid=0 procs)
> > 
> > I expect there was supposed to be more said on that last
> > paragraph...
> 
> Yeah, meant to say: ... then leave that out, one of us can always add
> that capability later with an add-on kernel module if necessary.
> 
> > I'm one of the people who didn't know that openafs had any
> > support for joinable PAGs.  I mean, it was was obviously
> > possible to do at some technical level, for someone who was
> > root and who could do some low-level programming, but not
> > that there was some more visible user-interface for it.
> > 
> > I know there are situations where joinable PAGs might be
> > useful, but I wouldn't want it to open any subtle security
> > holes.  So, how can a process join an already-existing PAG,
> > and what authentication/authorization steps are there?
> 
> Determine what the pag number you want to join is. Represented as two
> 16bit group numbers. Type 'id' at the prompt, and you'll see something
> like:
> 
> uid=0(root) gid=0(root) groups=34235,44399,0(root),7567(dba)
> 
> Once you have those two group numbers (34235,44399), just do a
> setgroups() system call in any process (as root) and put those two
> groups at the beginning of the supplementary group list. At that point,
> you'll be in that pag.
> 
> -- Nathan
> 
> ------------------------------------------------------------
> Nathan Neulinger                       EMail:  nneul@umr.edu
> University of Missouri - Rolla         Phone: (573) 341-4841
> Computing Services                       Fax: (573) 341-4216
-- 

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216