(BCC'd bugs) I have noticed a bit of interesting PAG behavior in Linux when keyring- and group-based PAG tracking are in effect. Specifically, say someone does something like this in a process (as root):
(1) setpag(), set tokens (2) x = getgroups(n, grouplist) (3) setpag(), set tokens (4) setgroups(x, grouplist) I'll call the PAG acquired in step (1) PAG X, and the one acquired in step (3) PAG Y. After step (3), the refcount for the _pag key for PAG X goes to zero, and linux tells us to destroy the PAG X _pag key, and we set PAG X's ct.EndTimestamp to 0. After step (4), the process is effectively back in PAG X, since the grouplist we got in (2) contains PAG X's id. The setgroups() hook only adds a PAG id if one doesn't already exist, so it of course allows setting that id. So now the process is in a rather confusing state where the process has access to AFS according to the tokens it acquired in step (1), up until PAG X gets GC'd in afs_GCUserData as part of the ten minute check. After a max of ten minutes, the process's access seems to mysteriously dissappear (from the point of view of the user). No kernel messages or anything; you just lose access. I can think of a at least few ways to prevent this from happening. I'm not sure which one(s) is/are the most 'correct' moving forward: A. In the setgroups() hook, ignore any supplied PAG-ish gids; or at least ignore ones that are invalid or expired (this is a bit annoying at present due to the way the setgroups() hook doesn't have any common-platform code right now, I don't think) B. Turn off group-based PAG tracking entirely when we have keyring-based PAG tracking C. In PagInCred, fall through to getting the PAG from the keyring if the group-derived PAG is invalid/expired D. In PagInCred, check the keyring PAG first Actually, now from writing this, B and D look most correct. With just C or D, we still have the 'wrong' PAG groupid in the group list, though. Obviously A won't work when we haven't installed the setgroups hook. B might still have the problem with GCPAGs that I just mentioned in the PAGs/tokens/threads thread, but that's easily fixable by turning off GCPAGs as well (or fixing PagInCred to actually look at the specific process's keyring). But enough rambling. Thoughts? -- Andrew Deason [email protected] _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
