[OpenAFS-devel] linux keyrings, PAGs and KEY_ALLOC_IN_QUOTA
Chas Williams (CONTRACTOR)
chas@cmf.nrl.navy.mil
Wed, 17 Mar 2010 10:03:05 -0400
In message <94A66917-6957-4821-BCD7-4CD3A6220086@inf.ed.ac.uk>,Simon Wilkinson
writes:
>setpag we allocate two key objects. The first is a session keyring,
>which we allocate as the user performing the setpag, and is counted
>against their quota. The second is an object to contain the PAG, which
>is allocated as root so that a user can't change the PAG that they are
actually i think i made it root so that the user couldnt read/write
the key. the author once pointed out to me that if you prefix a key
with '.' then the user, despite ownership, cannot create/delete keys.
this might be a better solution in the long term.
look at key_get_type_from_user() in security/keys/keyctl.c