[OpenAFS] Re: [OpenAFS-devel] keyring issues

chas williams - CONTRACTOR chas@cmf.nrl.navy.mil
Tue, 24 Oct 2006 09:26:50 -0400 

In message <453DD557.2080601@strike.wu-wien.ac.at>,Alexander Bergolth writes:
>*) How do the setgroups() hooks and keyring support play together? What
>happens if both the system call table had been found and is writeable
>and keyring support is enabled?

they try to work together.  if you find and patch the syscall table,
then the keyring stuff should have anything to do.  currently, the
keyring is used to put the special groups back if they are missing.
this should only happen if the setgroups syscall isnt patched.
the afs setpag() syscall sets the special groups and creates the
keyring pag.

>*) I've noticed that even if setgroups() twisting is disabled, an
>openafs client with keyring support will still use two groups to
>identify the PAG. How are those two groups are connected to the keyring
>found in /proc/keys? Are there any debugging tools for the interaction
>of tokens, groups and keyrings? And is there any information on if and
>how the keyrings are transported across forks and user-id changes?

since this is the first public version, i didnt want to many changes.
its helpful to be able to look at the group list and see if you have
a pag.  while some linuxes might a keyring capapble kernel they lack
the userspace control program keyctl which is what you would normally
use to peek at your keyring.  a typical use for keyctl would be:

% keyctl show
Session Keyring
       -3 --alswrv      0  1025  keyring: _ses.5901
      102 ----s--v      0     0   \_ afs_pag: _pag

5901 is the task/session id for the session keyring (you can see this
with ps if you try hard enough).  _pag is the afs pag.  its intended
to be immutable.

setpag() creates a new session keyring (replacing any existing session
keyring).  this is correct for afs but might create havoc for others
applications using the keyring.  generally, if you setpag() you want a
"clean" environment, so this is possibly correct behavior.  however,
at login, it is be important that afs does the setpag() before any
authentication data is added to the keyring.

>*) I've noticed that with openafs 1.4.2 with keyring support enabled,
>doing an "su" will keep the token but returning from the root shell will
>discard the token (see below). Previous (setgroups() based)
>implementations didn't show this behavior. What's the reason for this
>and how can I revert to the old style?

i dont see the behavior when i try the same on my local machine.

>$ id -G
>3000 33769 46409 6 10 500 501 502 33769 46408
...
>$ id -G
>3000 33769 46409 6 10 500 501 502 33769 46408

it still looks like you have the pag.  perhaps someone/something did an
unlog when you exit'ed from the su, pam_afs/pam_aklog?  the pag is just a
container, it doesnt have to hold afs credentials.