[OpenAFS-devel] setgroups() fails to change pag under linux 2.6

Roland Kuhn rkuhn@e18.physik.tu-muenchen.de
Thu, 10 Aug 2006 14:39:14 +0200 

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--Apple-Mail-14-812695227
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed

Hi Chas!

On 9 Aug 2006, at 18:16, chas williams - CONTRACTOR wrote:

> In message <FAE01A19-F876-471F-AB75-AF6D5B9C60DF@e18.physik.tu- 
> muenchen.de>,Rol
> and Kuhn writes:
>> You got me curious. I should probably watched this thread more
>> closely and maybe it would then be clear to me: Why should userspace
>> ever see a PAG identifier? What should it be able to do with it?
>
> ideally, the userspace would be unaware of the pag and/or be able to
> read/write it.  however, pags were stored in the group list which was
> the only thing available at the time.  so users could see the pag and
> do unwise things.  only root can change the group list so this atleast
> kept ordinary users from manipulating their group list.
>
Okay, so PAG reuse should not be an issue, right? :-) If you do  
"unwise things", you get to keep the pieces.

> with the keyring, the pag is stored in the users session keyring.   
> so the
> user can see the pag, but not its value (since the key doesnt have a
> read/update entry point).

Why is it necessary to identify a PAG by something else than the  
equivalent keyring? Forgive my ignorance about keyring internals, but  
I would imagine that a PAG is represented by processes holding a  
reference to a certain keyring, which in turn contains an  
authentication token for AFS.

>   so the current keyring implementation is close
> to what would be ideal (with some exceptions regarding session  
> managment
> when sharing with other keyring users).  right now the keyring code  
> puts
> back the pag groups but there is no paritcular reason for this.   
> its just
> compatibility -- people expect to see the pag groups in the group  
> list.

Well, _some_ do. Others don't. It's an idiosyncrasy which some people  
got used to.

Ciao,
                     Roland

--
TU Muenchen, Physik-Department E18, James-Franck-Str., 85748 Garching
Telefon 089/289-12575; Telefax 089/289-12570
--
CERN office: 892-1-D23 phone: +41 22 7676540 mobile: +41 76 487 4482
--
Any society that would give up a little liberty to gain a little
security will deserve neither and lose both.  - Benjamin Franklin
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GS/CS/M/MU d-(++) s:+ a-> C+++ UL++++ P+++ L+++ E(+) W+ !N K- w--- M 
+ !V Y+
PGP++ t+(++) 5 R+ tv-- b+ DI++ e+++>++++ h---- y+++
------END GEEK CODE BLOCK------



--Apple-Mail-14-812695227
content-type: application/pgp-signature; x-mac-type=70674453;
	name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFE2yj1I4MWO8QIRP0RAjGBAJ9IR6dxeiDL6C7Q1QYRNqoQRMNLiACfSpIM
UDylD9YX0HvbtyT15q0PR/8=
=3rYh
-----END PGP SIGNATURE-----

--Apple-Mail-14-812695227--