[OpenAFS] How can I create new pag for a process whose euid
doesn't equal to ruid under keyring setttings?
shuaijie wang
wangshuaijie@gmail.com
Mon, 2 Sep 2013 13:30:35 +0800
--047d7b47215e2a699404e55fdfc5
Content-Type: text/plain; charset=ISO-8859-1
Thanks very much! I will switch to API approach.
2013/9/2 Russ Allbery <rra@stanford.edu>
> shuaijie wang <wangshuaijie@gmail.com> writes:
>
> > I have a daemon process whose ruid is a normal user and euid is root, it
> > does most of its work under normal user, but occasionally it needs to
> > change its euid to root to do something, so we can't just change both of
> > its ruid and euid to normal user. And when I want to create a PAG for
> > this process, I make this process to fork a child to exec aklog -setpag
> > to do this, but our linux kernel is 2.6.34, which has keyring feature
> > enabled, and we found that under this circumstance, the keyring created
> > by this process belongs to the ruid, not euid, so the keyring created is
> > root, and the aklog forked by this daemon can't write into this keyring,
> > thus causing pag creation error. And I've tries many ways to change the
> > permission of the keyring, but they didn't work.
>
> aklog -setpag is a horrible hack that (IMO) completely breaks the expected
> inheritance semantics of PAGs. It's also rather fragile and has broken
> from time to time, since it requires a child process to change internal
> state of its parent, which is not an operation that's normally supposed to
> be possible. I would never use it.
>
> Instead, create the PAG directly in the parent process using the
> k_setpag() function provided by libkafs or libkopenafs.
>
> --
> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
>
--047d7b47215e2a699404e55fdfc5
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Thanks very much! I will switch to API approach.<br></div>=
<div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">2013/9/2 Russ=
Allbery <span dir=3D"ltr"><<a href=3D"mailto:rra@stanford.edu" target=
=3D"_blank">rra@stanford.edu</a>></span><br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div class=3D"im">shuaijie wang <<a href=
=3D"mailto:wangshuaijie@gmail.com">wangshuaijie@gmail.com</a>> writes:<b=
r>
<br>
> I have a daemon process whose ruid is a normal user and euid is root, =
it<br>
> does most of its work under normal user, but occasionally it needs to<=
br>
> change its euid to root to do something, so we can't just change b=
oth of<br>
> its ruid and euid to normal user. =A0And when I want to create a PAG f=
or<br>
> this process, I make this process to fork a child to exec aklog -setpa=
g<br>
> to do this, but our linux kernel is 2.6.34, which has keyring feature<=
br>
> enabled, and we found that under this circumstance, the keyring create=
d<br>
> by this process belongs to the ruid, not euid, so the keyring created =
is<br>
> root, and the aklog forked by this daemon can't write into this ke=
yring,<br>
> thus causing pag creation error. =A0And I've tries many ways to ch=
ange the<br>
> permission of the keyring, but they didn't work.<br>
<br>
</div>aklog -setpag is a horrible hack that (IMO) completely breaks the exp=
ected<br>
inheritance semantics of PAGs. =A0It's also rather fragile and has brok=
en<br>
from time to time, since it requires a child process to change internal<br>
state of its parent, which is not an operation that's normally supposed=
to<br>
be possible. =A0I would never use it.<br>
<br>
Instead, create the PAG directly in the parent process using the<br>
k_setpag() function provided by libkafs or libkopenafs.<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
--<br>
Russ Allbery (<a href=3D"mailto:rra@stanford.edu">rra@stanford.edu</a>) =A0=
=A0 =A0 =A0 =A0 =A0 <<a href=3D"http://www.eyrie.org/~eagle/" target=3D=
"_blank">http://www.eyrie.org/~eagle/</a>><br>
</font></span></blockquote></div><br></div>
--047d7b47215e2a699404e55fdfc5--