[OpenAFS-devel] setgroups() fails to change pag under linux 2.6

Jeffrey Hutzelman jhutz@cmu.edu
Fri, 21 Jul 2006 13:44:01 -0400


On Friday, July 21, 2006 08:46:07 AM -0500 David Thompson 
<thomas@cs.wisc.edu> wrote:

> Jeffrey Hutzelman wrote:
>>
>> What UID do those scripts run as?
>> If they all run as the same user, then you haven't gained much.
>> And if they don't, then something with UID 0 is involved in creating
>> them,  and the one-PAG-per-second rate limit doesn't apply to UID 0.
>
> Yes, the authentication wrapper is suid root.

So arrange for your wrapper to set a new PAG before changing its UID, and 
the one-PAG-per-second limit won't apply.  Then just make sure you reboot 
your servers often enough to avoid rollover (at least once every 2^24 PAG's)

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA