[OpenAFS-devel] linux keyrings, PAGs and KEY_ALLOC_IN_QUOTA
Rainer Toebbicke
rtb@pclella.cern.ch
Wed, 17 Mar 2010 11:20:45 +0100
Simon Wilkinson schrieb:
>
>
> It's a bit more complex than this. What happens is that with every
> setpag we allocate two key objects. The first is a session keyring,
> which we allocate as the user performing the setpag, and is counted
> against their quota. The second is an object to contain the PAG, which
> is allocated as root so that a user can't change the PAG that they are
> in. Due to us failing to keep up with kernel interface changes this is
> counted against roots quota, but will still be created even if root is
> over quota.
>
Luckily, the PAG object isn't actually created if creation of the new session
keyring fails. This is correct, as otherwise you could end up changing a PAG
that you share with somebody else, giving credentials to somebody who doesn't
deserve them.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rainer Toebbicke
European Laboratory for Particle Physics(CERN) - Geneva, Switzerland
Phone: +41 22 767 8985 Fax: +41 22 767 7155