[OpenAFS] keyring support

Jeffrey Hutzelman jhutz@cmu.edu
Wed, 06 Dec 2006 17:18:23 -0500


On Wednesday, November 15, 2006 12:21:53 PM -0800 Russ Allbery 
<rra@stanford.edu> wrote:

> Ryan Underwood <nemesis-lists@icequake.net> writes:
>> On Fri, Nov 10, 2006 at 03:43:11PM -0600, Ryan Underwood wrote:
>
>>> What Linux kernel and what OpenAFS version are necessary for the
>>> keyring pag support?  I am using 2.6.16 and OpenAFS 1.4.2 and pags are
>>> still not being preserved across fork.
>
>> Interesting.  It appears that an authenticated shell can fork and exec
>> another process and that process has tokens, but an authenticated shell
>> that forks and execs another shell results in a child shell with no
>> tokens.  What would cause that?
>
> I have no idea with keyrings, but if groups were being used, that sounds
> exactly like the symptoms of not being able to interrupt the setgroups
> system call.  Shells often call initgroups when they're started, which
> will drop the PAG groups unless the setgroups system call is successfully
> intercepted.

Um, setgroups is privileged; ordinary shells don't get to call it.
Unless your uid is 0, or whatever passes for that on your system.