In 1.4.11, under Linux >= 2.6.18, the setpag() routine allocates a new session
keyring and afs pag with the KEY_ALLOC_IN_QUOTA flag.
Besides the problematic debugging (this fails silently when over key-quota),
it creates a problem for a daemon running as root, opening a pag and then
'su'ing to a normal user: as the keyring creation fails, the 'su'ed process
does not run in its caller's pag and hence without credentials.
Under RHEL5 the keyring quota is 100, hard-coded as far as I can see, and
already 50 sshd sessions fill it up (with the standard red-hat pam_krb5,
sshd/pam seems to setpag() as root, each counting as two entries, even though
the user seems to run in yet another pag).
One might argue whether sshd/pam should be using up a pag accounted against
root is logical, on the other hand I consider creating a pag as root a valid
use-case and a quota of effectively 50 unacceptably low. (Under Ubuntu karmic
this is 200 (->100), which does not change the problem fundamentally).
Hence I suggest to change this to use KEY_ALLOC_NOT_IN_QUOTA for root, and
KEY_ALLOC_IN_QUOTA for others, for the new session keyring.
Any thoughts?
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rainer Toebbicke
European Laboratory for Particle Physics(CERN) - Geneva, Switzerland
Phone: +41 22 767 8985 Fax: +41 22 767 7155
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
