[OpenAFS-devel] Re: [OpenAFS] 2.6 kernel support anytime soon?Workarounds?

Douglas E. Engert deengert@anl.gov
Wed, 12 May 2004 07:52:43 -0500 

Derek Atkins wrote:
> 
> This is not the behavior we want.

OK. So how about this, we shadow the task_struct saving the start_time
and when we see a new group_info structure, up the usage count and
save a pointer to it in another shadow table.  

We can use the address of the group_info as a marker, since it
is copied when a process is created.  

When AFS needs to find the PAG, it can then be found by looking up the 
task's group_info address in our group shadow table. If not found in 
our shadow table this is a new task, or it has changed its groups.

We then look up the task with its start_time to see if we knew about
it before, and if it was in a PAG. We then up the new group usage count,
and save it in the group shadow table. 

If not in a PAG, see if its parents where in a PAG.

So for a process to escape the PAG jail, It would have to set new groups,
fork to get a new process have the orginal process exit so the new process
gets reparented to a process not in a PAG. Since setgroups must be done by root, 
an ordinary user can not escape the jail be doing this.

Garbage collection would then cleanup any shadow tables, and dec the
usage in the group_info. 
 
> 
> > But the situation looks desperate, This calls for new thinking.
> 
> Well, we could try to convince people to stop using Linux and use
> a "real os"  ;)
> 
> Seriously, in over 15 years of AFS usage on over 20 OSes/Versions that
> I've used, Linux 2.6 is the FIRST to go BACKWARDS from working with
> AFS to NOT working with AFS due to blocking these entry points.
> 
> Personally I'm quite happy to stay with Linux 2.4 for a while longer
> and consider alternatives.

Personally I don't think we can wait, if its a choice between AFS and 
Linux, Linux will win, and my site will have to find something other 
the AFS. Personally I don't want to see it come to this.   

> 
> -derek
> 
> --
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444