[OpenAFS] pag's with new 2.6 mechanism

[Ryan Underwood]

On Sun, Jan 09, 2005 at 04:18:24PM -0600, Ryan Underwood wrote:
> 
> I run Apache with tokens to access the web server space which is not
> publicly accessible.  To do this, I use pagsh as the interpreter for
> apache's init script.  The init script launches two processes: the
> apache process, and a reauthentication daemon.  The reauth daemon is
> just a shell script which periodically kinits and aklogs to keep
> Apache's credentials refreshed.  This worked under 2.4, but I guess the
> PAG behavior has changed for 2.6 where sys_call_table is unavailable.
> 
> I understand a new PAG mechanism was introduced to bypass the
> afs_syscall issue, so I guess this is where the problem lies.

I think I found the issue.  PAGs no longer survive a setuid() call.  As
soon as an Apache child changes from root to www-data, it has lost its
credentials.  Under 2.4, the credentials are still available after
setuid so the child can access the sites on AFS.

Any ideas?

-- 
Ryan Underwood, <nemesis@icequake.net>