On 17 Mar 2010, at 08:35, Rainer Toebbicke wrote:
On RHEL5 every sshd session holds at least one pag for root, so yes as soon as there are 50 users logged in strange things happen. ssh sessions as root would start to "share" tokens I suppose. Also, there must be a reason why pam does a setpag as root and another one as user: that corner case wouldn't be covered. Given that even with the fix checking return codes programs would have to start checking setpag()'s return code... and then what?
It's a bit more complex than this. What happens is that with every setpag we allocate two key objects. The first is a session keyring, which we allocate as the user performing the setpag, and is counted against their quota. The second is an object to contain the PAG, which is allocated as root so that a user can't change the PAG that they are in. Due to us failing to keep up with kernel interface changes this is counted against roots quota, but will still be created even if root is over quota.
So, if you're using a PAM module which calls setpag as the user, you won't see any problems until you try to call setpag as root. If your PAM module calls setpag as root, then you're going to hit a limit. Calling setpag twice in the same session (if there are modules that do so) won't be an issue, because the second setpag replaces the objects created by the first - the first setpag's objects will be garbage collected, and their quota counts refunded.
Simon. _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
