[OpenAFS-devel] setgroups() fails to change pag under linux 2.6
chas williams - CONTRACTOR
chas@cmf.nrl.navy.mil
Wed, 09 Aug 2006 12:16:36 -0400
In message <FAE01A19-F876-471F-AB75-AF6D5B9C60DF@e18.physik.tu-muenchen.de>,Rol
and Kuhn writes:
>You got me curious. I should probably watched this thread more
>closely and maybe it would then be clear to me: Why should userspace
>ever see a PAG identifier? What should it be able to do with it?
ideally, the userspace would be unaware of the pag and/or be able to
read/write it. however, pags were stored in the group list which was
the only thing available at the time. so users could see the pag and
do unwise things. only root can change the group list so this atleast
kept ordinary users from manipulating their group list.
with the keyring, the pag is stored in the users session keyring. so the
user can see the pag, but not its value (since the key doesnt have a
read/update entry point). so the current keyring implementation is close
to what would be ideal (with some exceptions regarding session managment
when sharing with other keyring users). right now the keyring code puts
back the pag groups but there is no paritcular reason for this. its just
compatibility -- people expect to see the pag groups in the group list.