From a6403c0134fc567aa6abaf870348b4fb14da37e8 Mon Sep 17 00:00:00 2001 From: Simon Wilkinson Date: Mon, 11 May 2009 16:14:39 +0000 Subject: [PATCH] STABLE14101-linux26-defer-cred-changing-20090511 LICENSE IPL10 FIXES 124737 Newer Linux kernels differentiate between the real and effective credentials of a process, and prevent a process's credentials from being change when the effective credentials have been set to a different value. When AFS notices a keyring PAG exists but no group-based PAG does, the attempt to rectify this, if done in a VFS call (which changes effective creds) triggers this issue. We defer the change to the groups to avoid it. (cherry picked from commit 7d530b9080f6dd4d7f7e4555ed6ce855ff81bcaa) --- src/afs/LINUX/osi_cred.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/afs/LINUX/osi_cred.c b/src/afs/LINUX/osi_cred.c index 22f4bb53f4..8642a9fa4a 100644 --- a/src/afs/LINUX/osi_cred.c +++ b/src/afs/LINUX/osi_cred.c @@ -104,6 +104,12 @@ crset(cred_t * cr) #if defined(STRUCT_TASK_HAS_CRED) struct cred *new_creds; + /* If our current task doesn't have identical real and effective + * credentials, commit_cred won't let us change them, so we just + * bail here. + */ + if (current->cred != current->real_cred) + return; new_creds = prepare_creds(); new_creds->fsuid = cr->cr_uid; new_creds->uid = cr->cr_ruid;