Thanks very much! I will switch to API approach.
2013/9/2 Russ Allbery <[email protected]> > shuaijie wang <[email protected]> writes: > > > I have a daemon process whose ruid is a normal user and euid is root, it > > does most of its work under normal user, but occasionally it needs to > > change its euid to root to do something, so we can't just change both of > > its ruid and euid to normal user. And when I want to create a PAG for > > this process, I make this process to fork a child to exec aklog -setpag > > to do this, but our linux kernel is 2.6.34, which has keyring feature > > enabled, and we found that under this circumstance, the keyring created > > by this process belongs to the ruid, not euid, so the keyring created is > > root, and the aklog forked by this daemon can't write into this keyring, > > thus causing pag creation error. And I've tries many ways to change the > > permission of the keyring, but they didn't work. > > aklog -setpag is a horrible hack that (IMO) completely breaks the expected > inheritance semantics of PAGs. It's also rather fragile and has broken > from time to time, since it requires a child process to change internal > state of its parent, which is not an operation that's normally supposed to > be possible. I would never use it. > > Instead, create the PAG directly in the parent process using the > k_setpag() function provided by libkafs or libkopenafs. > > -- > Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> >
