[OpenAFS] How can I create new pag for a process whose euid doesn't equal to ruid under keyring setttings?
Sun, 01 Sep 2013 21:07:05 -0700
shuaijie wang <firstname.lastname@example.org> writes:
> I have a daemon process whose ruid is a normal user and euid is root, it
> does most of its work under normal user, but occasionally it needs to
> change its euid to root to do something, so we can't just change both of
> its ruid and euid to normal user. And when I want to create a PAG for
> this process, I make this process to fork a child to exec aklog -setpag
> to do this, but our linux kernel is 2.6.34, which has keyring feature
> enabled, and we found that under this circumstance, the keyring created
> by this process belongs to the ruid, not euid, so the keyring created is
> root, and the aklog forked by this daemon can't write into this keyring,
> thus causing pag creation error. And I've tries many ways to change the
> permission of the keyring, but they didn't work.
aklog -setpag is a horrible hack that (IMO) completely breaks the expected
inheritance semantics of PAGs. It's also rather fragile and has broken
from time to time, since it requires a child process to change internal
state of its parent, which is not an operation that's normally supposed to
be possible. I would never use it.
Instead, create the PAG directly in the parent process using the
k_setpag() function provided by libkafs or libkopenafs.
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>