I asked about the failure of 'unpagsh' under kernels 2.6.x, and Jeffrey Hutzelman replied:
On Tue, Mar 08, 2005 at 11:01:35AM -0500, Jeffrey Hutzelman wrote:That's not surprising. unpagsh is not my code, but I did take a quick look at it when you posted your first message. It works by overflowing the fixed-size group list maintained by the kernel with "real" groups, leaving no room for the groups added by AFS to represent the PAG. In Linux 2.6, the list of groups associated with a process is not a fixed-size array; it is dynamic, and our setgroups wrapper always grows the list to make room for the PAG groups. So you can't get rid of them by overflowing the array.
Making this work would require a change to the OpenAFS kernel code.
Isn't there a way -- not necessarily specifically using OpenAFS kernel features -- to get rid of a group without doing something dodgy? One can assume, for my purposes, that one is root and so on. As far as I can see, there are standard ways only to add a group to a process, not to get rid of it. It would be adequate if one could create a new process with the AFS groups left out... I don't see how to do such a thing using existing library functions.
You can use setgroups() to _replace_ the set of groups a process has; after a call to setgroups, the process has only the groups you specified. However, AFS traps setgroups and takes special steps to insure that the groups representing a PAG are preserved across the setgroups call, even if they're not included in the list you specify.
So, there is a standard way to remove groups, but it doesn't work for our "special" groups, which is why unpagsh uses the overflow hack.
-- Jeff _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
