[OpenAFS-devel] linux keyrings, PAGs and KEY_ALLOC_IN_QUOTA

[Rainer Toebbicke]

In 1.4.11, under Linux >= 2.6.18, the setpag() routine allocates a new session 
keyring and afs pag with the KEY_ALLOC_IN_QUOTA flag.

Besides the problematic debugging (this fails silently when over key-quota), 
it creates a problem for a daemon running as root, opening a pag and then 
'su'ing to a normal user: as the keyring creation fails, the 'su'ed process 
does not run in its caller's pag and hence without credentials.

Under RHEL5 the keyring quota is 100, hard-coded as far as I can see, and 
already 50 sshd sessions fill it up (with the standard red-hat pam_krb5, 
sshd/pam seems to setpag() as root, each counting as two entries, even though 
the user seems to run in yet another pag).

One might argue whether sshd/pam should be using up a pag accounted against 
root is logical, on the other hand I consider creating a pag as root a valid 
use-case and a quota of effectively 50 unacceptably low. (Under Ubuntu karmic 
this is 200 (->100), which does not change the problem fundamentally).

Hence I suggest to change this to use KEY_ALLOC_NOT_IN_QUOTA for root, and 
KEY_ALLOC_IN_QUOTA for others, for the new session keyring.

Any thoughts?


-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rainer Toebbicke
European Laboratory for Particle Physics(CERN) - Geneva, Switzerland
Phone: +41 22 767 8985       Fax: +41 22 767 7155