[OpenAFS] Removing the ability to change the PAG of the parent

Rainer Toebbicke rtb@pclella.cern.ch
Wed, 17 Feb 2010 09:46:06 +0100 

Simon Wilkinson schrieb:
> We're currently (on opeanfs-devel) discussing a new mechanism for 
> storing tokens in the kernel - this new mechanism is required to support 
> new security layers such as rxgk and rxk5. There have been a significant 
> number of posters advocating removing the 'change the PAG of my parent' 
> feature, which is used by aklog -setpag, amongst others. A process would 
> still be able to change its own PAG.
> 
> There are numerous technical reasons for wanting to make this change. 
> This functionality is very difficult to implement in a cross-platform 
> manner, without exposing ourselves to all sorts of kernel races. On some 
> platforms (such as Linux) it works on some kernel versions, but not on 
> others. Things would be made considerably easier if this feature went away.
> 
> Based on current developer feedback, I'm planning on removing the setpag 
> functionality from the new interface. However, before making the final 
> decision, I'm very interested in hearing the views of deployers and end 
> users? How many of you rely on aklog -setpag? How difficult would things 
> be for you if it went away in some future major release [*]?
> 

A script that acquires credentials can only safely do so in a pag. "script" 
including pythons, perls, rubies and other programs which do not have a 
setpag() call.

Often the problem can be circumvented with a "pagsh -c 'exec 
perl-program'"-like construct, but there are cases where such a split is 
unnatural and sometimes tricky: a setuid script for example. Programs which 
fork and continue something in a new pag: you couldn't write a simple server 
with sub-authentication in perl without this (I am -possibly without 
justification- not a friend of the AFS-perl package).

Hence, yes, the functionality is valuable and useful for *setting a new pag in 
a script*.

This does not mean it has to be implemented by *set the pag of your parent*: 
there are many things scripts can do on their own, under Linux a "echo 1 > 
/proc/sys/afs/setpag" would be fine. Since /proc is very linux-and-a-few-more 
specific, I wouldn't cry foul either if there were a live 
/afs/system-parameters file that we could more easily divert cross-platform.


-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rainer Toebbicke
European Laboratory for Particle Physics(CERN) - Geneva, Switzerland
Phone: +41 22 767 8985       Fax: +41 22 767 7155