[torquedev] patch: gssapi: use pam_open_session for AFS PAG and
Sergio.Gelato at astro.su.se
Wed May 30 06:45:09 MDT 2007
Sorry for the long silence: I've been distracted by other duties and had
to set aside my work on torque for a while.
Her are two sets of patches. The first is a feature patch for the gssapi
branch, but it may conceivably also be of interest for the trunk: on
systems that have PAM, the preferred way to obtain AFS tokens is not
to call aklog directly but to have a PAM session module (such as Russ
Allbery's pam-afs-session) do it. One motivation for this is that the
-setpag option to aklog does not work on all systems. And of course
once you have a PAM hook you can use it for other things as well.
So far this patch has only been tested on Debian 4.0 (using Debian's
pam_openafs_session.so module). Some autoconf tweaks may be required
for Solaris and other PAM-capable systems.
The patch calls init_groups() again after authenticate_as_job().
This is a workaround for the difficulties OpenAFS sometimes has
these days in overriding the Linux kernel's setgroups() and making
sure the PAG ID stays in the group list.
Speaking of init_groups(), revision 1047 introduced a bug into the
gssapi branch: getgroups() is called a first time to get the group
count, but then it needs to be called again after the array has been
allocated. The trunk uses a preallocated savedgroups and does not
suffer from this issue. I see two ways to fix it; one is to revert to
the approach used on the trunk (for a sufficiently large NGROUPS_MAX),
the other is illustrated in my second patch for today. It may be good
to know what problem the author of r1047 was trying to solve.
The rest of that second patch addresses a portability issue for
platforms where sizeof(gid_t) != sizeof(int). These may be rare
nowadays (I don't have one) but since torque's configure script
is already testing for the type of the array argument to getgroups()
why not use that information?
More patches shortly.
More information about the torquedev