[OpenAFS] PAGs and group ids
Christopher Allen Wing
wingc@umich.edu
Mon, 18 Jun 2007 12:57:10 -0400 (EDT)
Russ:
On Mon, 11 Jun 2007, Russ Allbery wrote:
> Note that, if possible, the group is also created even if the keyring is
> used.
Yes; this is true for now, but it's not something that should be relied
upon since the group is not always guaranteed to be there (e.g, when
calling getgroups()), even when the process is a member of a PAG.
In particular, on recent linux kernels w/keyring support, when a process
calls setgroups(), the special AFS groups go away, but the process is
still a member of the PAG as determined by the keyring data. The special
group/groups will then be re-created the next time that the process
attempts to access AFS (which might happen at some non-deterministic
moment in the future). So you can't assume that absence of the special
group IDs implies that the process is not inside a PAG.
(Okay, I guess you could always attempt some AFS no-op before calling
getgroups(), which would cause the AFS module to re-create the special
group if you were in a PAG, but that's an implementation detail I wouldn't
want to rely upon either)
-Chris
wingc@umich.edu