Posted Jun 1, 2007 15:06 UTC (Fri) by utoddl
In reply to: Process containers
Parent article: Process containers
I was talking about supplementary group IDs as set by setgroups().
In the particular AFS context, when the older libafs kernel module loaded, it would swipe the setgroups entry in the sys_call_table (?sp) so it could handle the necessary details of associating an AFS PAG, token, and process. It was an admitted hack, but one that has worked in various forms for over a decade in a half dozen major flavors of UNIX. Other methods were invented for Linux when the kernel police make the sys_call_table read-only.
BTW, this was/is another reason to dislike what AFS does with the supplementary group list. It's rather disconcerting to do "id -a" and see groups with no associated names, but that's common if your shell is in a PAG. Behold:
$ id -a
uid=12428(utoddl) gid=12428(utoddl) \
to post comments)