[OpenAFS] How can I create new pag for a process whose euid doesn't equal to ruid under keyring setttings?

Russ Allbery rra@stanford.edu
Sun, 01 Sep 2013 21:07:05 -0700

shuaijie wang <wangshuaijie@gmail.com> writes:

> I have a daemon process whose ruid is a normal user and euid is root, it
> does most of its work under normal user, but occasionally it needs to
> change its euid to root to do something, so we can't just change both of
> its ruid and euid to normal user.  And when I want to create a PAG for
> this process, I make this process to fork a child to exec aklog -setpag
> to do this, but our linux kernel is 2.6.34, which has keyring feature
> enabled, and we found that under this circumstance, the keyring created
> by this process belongs to the ruid, not euid, so the keyring created is
> root, and the aklog forked by this daemon can't write into this keyring,
> thus causing pag creation error.  And I've tries many ways to change the
> permission of the keyring, but they didn't work.

aklog -setpag is a horrible hack that (IMO) completely breaks the expected
inheritance semantics of PAGs.  It's also rather fragile and has broken
from time to time, since it requires a child process to change internal
state of its parent, which is not an operation that's normally supposed to
be possible.  I would never use it.

Instead, create the PAG directly in the parent process using the
k_setpag() function provided by libkafs or libkopenafs.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>