[OpenAFS] PAGs and group ids

Christopher Allen Wing wingc@umich.edu
Mon, 18 Jun 2007 12:57:10 -0400 (EDT)


On Mon, 11 Jun 2007, Russ Allbery wrote:

> Note that, if possible, the group is also created even if the keyring is
> used.

Yes; this is true for now, but it's not something that should be relied 
upon since the group is not always guaranteed to be there (e.g, when 
calling getgroups()), even when the process is a member of a PAG.

In particular, on recent linux kernels w/keyring support, when a process 
calls setgroups(), the special AFS groups go away, but the process is 
still a member of the PAG as determined by the keyring data.  The special 
group/groups will then be re-created the next time that the process 
attempts to access AFS (which might happen at some non-deterministic 
moment in the future).  So you can't assume that absence of the special 
group IDs implies that the process is not inside a PAG.

(Okay, I guess you could always attempt some AFS no-op before calling 
getgroups(), which would cause the AFS module to re-create the special 
group if you were in a PAG, but that's an implementation detail I wouldn't 
want to rely upon either)