[Lsf-pc] Authentication Contexts for network file systems and Containers was Re: [LSF/MM ATTEND] FS jitter testing, network caching, Lustre, cluster filesystems.

Jeffrey Altman jaltman at auristor.com
Tue Jan 17 17:10:58 UTC 2017


On 1/17/2017 11:34 AM, Trond Myklebust wrote:
>>
>> https://docs.google.com/document/d/1P27fP1uj-C8QdxDKMKtI-Qh00c5_9zJa4
>> YHjnpB6ODM/pub
>>
>> Jeffrey Altman
>>
> 
> 
> There is the usual problem when you have to do an upcall in order to
> set up the authentication context for session based protocols, such as
> RPCSEC_GSS.
> 

Trond,

Thanks for the thought but that is not the issue here.   systemd --user
launches processes as the user but those processes do not share the same
keyring as the processes started from the pam stack at logon.
Since the keyring doesn't match, the processes started by systemd --user
are in a different authentication context.

Setting the effective 'uid' is insufficient to gain access to the proper
authentication context.

I agree that upcalls are often a problem which is why the AFS family of
protocols does not use them.  Typically a process will be created in
userland for each PAG to push refreshed credentials to the kernel module.

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: jaltman.vcf
Type: text/x-vcard
Size: 395 bytes
Desc: not available
URL: <http://lists.linuxfoundation.org/pipermail/containers/attachments/20170117/89e11c52/attachment.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4057 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.linuxfoundation.org/pipermail/containers/attachments/20170117/89e11c52/attachment.p7s>


More information about the Containers mailing list