[OpenAFS-devel] setgroups() fails to change pag under linux 2.6

[David Thompson]

Jeffrey Altman wrote:
>> Think things like web servers that run authenticated as the (each) web page 
>author.  Or, <scream volume="primal"> think things like authenticated mail del
>ivery.</scream>  In either case, I have to authenticate as the same principal 
>over and over, and I can't wait for a new pag for each request.  So, I create 
>(and authenticate) a pag for each principal, and I can authenticate quickly vi
>a a setgroups() call to select the appropriate authentication (pag).
>> 
>> Our implementation consists of more than that, but that's the core of it.
>> 
>> Dave Thompson
>> UW-Madison
>
>Why do you need a new PAG as opposed to simply performing an unlog()
>operation on your existing PAG?
>
>You only need a new PAG when your web server creates a new process.

Several reasons:

1) We wanted to create a tool that was not application-specific.  By 
implementing the authentication layer as a wrapper, we have very good 
flexibility to do per-principal authentication in many different environments.

2) We wanted a tool that could be used in child processes that might be long 
lived (even to semi-permanent or permanent daemons).

3) Specifically for the web server example, in your proposal, a malicious web 
page could fork() itself, exit the parent thead, and wait around and start 
collecting other authentications, as the web server changed the authentication 
in the pag for other requests.  Yuch.

There are probably other reasons that I'm not thinking of now.

Dave