[OpenAFS-devel] linux keyrings, PAGs and KEY_ALLOC_IN_QUOTA

Simon Wilkinson sxw@inf.ed.ac.uk
Tue, 16 Mar 2010 13:23:28 +0000


On 16 Mar 2010, at 13:01, Rainer Toebbicke wrote:

> In 1.4.11, under Linux >=3D 2.6.18, the setpag() routine allocates a =
new session keyring and afs pag with the KEY_ALLOC_IN_QUOTA flag.

I think Marc has partially addressed this with =
a3812f211a56c0d6e0a7ff8a97f157707d3d8c28 - this missed the 1.4.12 =
merges, but should go into 1.4.13. As the review comments on that change =
note, we still need to think further about session keyrings.

The issue with a session keyring is that it's correct to create it with =
the user's quota - providing that setpag() is called as the user who's =
eventually going to use it. The problem is that some PAM modules run =
setpag() as root, and so use up root's quota, rather than that of the =
end user.

> Besides the problematic debugging (this fails silently when over =
key-quota)

This is RT 126230, and is fixed by =
0caf14224a9153bb488be9e52d67892a2c441a5a (again, this was committed =
after 1.4.12 was cut)

S.