[OpenAFS-devel] FC6 aklog -setpag doesn't set tokens

Tue, 31 Oct 2006 09:39:27 -0800

On Mon, Oct 30, 2006 at 08:21:04PM -0500, Jeffrey Hutzelman wrote:
> 
> 
> On Monday, October 30, 2006 03:50:50 PM -0800 Miles Davis 
> <miles@CS.Stanford.EDU> wrote:
> 
> >
> >Using the openafs.org RPM, slightly modified (with fsync patch and
> >linux/autoconf.h replacing linux/config.h), aklog -setpag seems to get
> >a token, but...doesn't.
> 
> You haven't said what kernel and AFS versions you're using, but I'm going 
> to bet they're pretty new, since you did say you're running FC6. 

Duh, sorry about that. The kernel is 2.6.18-1.2798.fc6, and openafs 
1.4.2.

>  The 
> -setpag switch uses an AFS system call which violates a basic UNIX design 
> principle, by allowing the process that calls it (aklog) to modify the 
> execution environment of its parent (your shell).  That mechanism has 
> always been somewhat ugly, and it's likely that with kernels new enough to 
> require keyring-based PAG tracking, it has never worked and never will. 
> What's probably going on here is that aklog's PAG is being changed, but 
> that of the parent shell is not, so your tokens are being dropped into the 
> great abyss.

Ah, I never understood the mechanism behind it. Thanks for the info.

> I'd suggest you stop using -setpag entirely.  Instead, consider using 
> pagsh, which gives you a new shell with a new PAG, along the same lines as 
> newgrp.

That's my plan. I'm not sure why I was using -setpag to begin with (in 
my pam_aklog module and login scripts), since I already have a pag on 
login...I must have assumed it was the safe fallback or something.

Anyway, I'm loving 1.4.2...the move from fc4 to fc6 is the easiest 
yet.

-- 
// Miles Davis - miles@cs.stanford.edu - http://www.cs.stanford.edu/~miles
// Computer Science Department - Computer Facilities
// Stanford University