[OpenAFS-devel] klog (the kaserver kind) and PAGs on x86_64
Simon Wilkinson
sxw@inf.ed.ac.uk
Thu, 3 Jan 2008 12:04:58 +0000
On 3 Jan 2008, at 11:47, Atro Tossavainen wrote:
> Can somebody please explain to me why a "klog -setpag account" does
> not produce a token on CentOS 4.6 x86_64? "klog account" does
> generate
> a token, without a PAG (so root su'ing to the user gets it). Logging
> in via pam_afs.so does (and "groups" shows the two anon groups, and
> root su'ing to the user does not get the token).
It's to do with the way that PAGs are created in each of these cases.
When you run klog -setpag, you have a process tree that looks like
shell->klog (so, when klog exits, control returns to the shell) - in
order to be able to set the PAG, klog must change the PAG of its
parent process. Both finding the identity of the parent process, and
then forcing it into a particular PAG, requires all sorts of kernel
fiddling which doesn't work on some kernels and architectures. By
contrast, when you log in and use a PAM module, then PAG is created
by the module itself, so the login (or ssh, or ...) process ends up
in that PAG, and the child just inherits the PAG from its parent.
In addition, there are some odd bugs with the ways in which aklog -
setpag doesn't work on some Linux variants - RT #57154 has more details.
Simon.