Simon Wilkinson schrieb:
We're currently (on opeanfs-devel) discussing a new mechanism for
storing tokens in the kernel - this new mechanism is required to support
new security layers such as rxgk and rxk5. There have been a significant
number of posters advocating removing the 'change the PAG of my parent'
feature, which is used by aklog -setpag, amongst others. A process would
still be able to change its own PAG.
There are numerous technical reasons for wanting to make this change.
This functionality is very difficult to implement in a cross-platform
manner, without exposing ourselves to all sorts of kernel races. On some
platforms (such as Linux) it works on some kernel versions, but not on
others. Things would be made considerably easier if this feature went away.
Based on current developer feedback, I'm planning on removing the setpag
functionality from the new interface. However, before making the final
decision, I'm very interested in hearing the views of deployers and end
users? How many of you rely on aklog -setpag? How difficult would things
be for you if it went away in some future major release [*]?
A script that acquires credentials can only safely do so in a pag. "script"
including pythons, perls, rubies and other programs which do not have a
setpag() call.
Often the problem can be circumvented with a "pagsh -c 'exec
perl-program'"-like construct, but there are cases where such a split is
unnatural and sometimes tricky: a setuid script for example. Programs which
fork and continue something in a new pag: you couldn't write a simple server
with sub-authentication in perl without this (I am -possibly without
justification- not a friend of the AFS-perl package).
Hence, yes, the functionality is valuable and useful for *setting a new pag in
a script*.
This does not mean it has to be implemented by *set the pag of your parent*:
there are many things scripts can do on their own, under Linux a "echo 1 >
/proc/sys/afs/setpag" would be fine. Since /proc is very linux-and-a-few-more
specific, I wouldn't cry foul either if there were a live
/afs/system-parameters file that we could more easily divert cross-platform.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rainer Toebbicke
European Laboratory for Particle Physics(CERN) - Geneva, Switzerland
Phone: +41 22 767 8985 Fax: +41 22 767 7155
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
