[OpenAFS-devel] Unprotected PAGs

Alexander Boström abo@e.kth.se
Wed, 21 Sep 2005 18:55:02 +0200


--=-cpkxp0jA84vUCF6P3dtq
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi,

I like my PAGs unprotected. That is, without the setgroups wrapper. So I
wrote a patch (attached) that adds an option to libafs to turn off the
syscall table changes. I'd be happy to see it included in the official
distribution.

In case you wonder, my reasons for preferring unprotected PAGs include:

I don't need protected PAGs and my users won't notice the difference.
Since the syscall table thing is a bit controversial, avoiding it seems
like a good idea.

Getting out of a PAG can be useful sometimes, for example when starting
deamons.

If httpd is allowed to, it will break out of the PAG (if started from a
PAG:d shell). That means that the problem of getting into the same PAG
as httpd disappears, which makes it possible to use cron to update the
token for the httpd user.

/abo


--=-cpkxp0jA84vUCF6P3dtq
Content-Disposition: attachment; filename=openafs-1.4.0-rc4-src-syscallopt.patch
Content-Type: text/x-patch; name=openafs-1.4.0-rc4-src-syscallopt.patch; charset=UTF-8
Content-Transfer-Encoding: base64

LS0tIHNyYy9hZnMvTElOVVgvb3NpX21vZHVsZS5jCTIwMDUtMDctMTEgMjE6Mjk6NTYuMDAwMDAw
MDAwICswMjAwDQorKysgc3JjL2Fmcy9MSU5VWC9vc2lfbW9kdWxlLmMuc3lzY2FsbG9wdAkyMDA1
LTA5LTIxIDExOjAwOjUzLjg2NTg1OTM1OCArMDIwMA0KQEAgLTM4LDYgKzM4LDExIEBADQogI2lu
Y2x1ZGUgPGxpbnV4L3NlcV9maWxlLmg+DQogI2VuZGlmDQogDQorLyogSWYgdGhpcyBpcyBzZXQs
IHN5c2NhbGwgaXMgZW5hYmxlZCAqLw0KK3N0YXRpYyBpbnQgZW5hYmxlX3N5c2NhbGwgPSAxOw0K
K01PRFVMRV9QQVJNKGVuYWJsZV9zeXNjYWxsLCAiaSIpOw0KK01PRFVMRV9QQVJNX0RFU0MoZW5h
YmxlX3N5c2NhbGwsICJFbmFibGUgc3lzY2FsbCAob24gYnkgZGVmYXVsdCwgc2V0IHRvIDAgdG8g
ZGlzYWJsZSkiKTsNCisNCiBleHRlcm4gc3RydWN0IGZpbGVfc3lzdGVtX3R5cGUgYWZzX2ZzX3R5
cGU7DQogDQogI2lmICFkZWZpbmVkKEFGU19MSU5VWDI0X0VOVikNCkBAIC0zNjAsOSArMzY1LDEx
IEBADQogDQogICAgIG9zaV9Jbml0KCk7DQogDQotICAgIGVyciA9IG9zaV9zeXNjYWxsX2luaXQo
KTsNCi0gICAgaWYgKGVycikNCi0JcmV0dXJuIGVycjsNCisgICAgaWYgKGVuYWJsZV9zeXNjYWxs
KSB7DQorCWVyciA9IG9zaV9zeXNjYWxsX2luaXQoKTsNCisJaWYgKGVycikNCisJICAgIHJldHVy
biBlcnI7DQorICAgIH0NCiAgICAgZXJyID0gYWZzX2luaXRfaW5vZGVjYWNoZSgpOw0KICAgICBp
ZiAoZXJyKQ0KIAlyZXR1cm4gZXJyOw0KQEAgLTM4NCw3ICszOTEsOCBAQA0KICNlbmRpZg0KIHsN
CiAgICAgb3NpX3N5c2N0bF9jbGVhbigpOw0KLSAgICBvc2lfc3lzY2FsbF9jbGVhbigpOw0KKyAg
ICBpZiAoZW5hYmxlX3N5c2NhbGwpDQorCW9zaV9zeXNjYWxsX2NsZWFuKCk7DQogICAgIHVucmVn
aXN0ZXJfZmlsZXN5c3RlbSgmYWZzX2ZzX3R5cGUpOw0KIA0KICAgICBhZnNfZGVzdHJveV9pbm9k
ZWNhY2hlKCk7DQo=


--=-cpkxp0jA84vUCF6P3dtq--