Don't count root session keyrings against quota

AFS PAM modules can call setpag() as root, regardless of the UID
being authenticated. This leads to the session keyring being created
using roots quota - on some systems (RHEL5) this quota is both small,
and of a fixed size.

Modify our keyring allocation code so that when a keyring is created
by root, we don't do any quota checks.

Reported-by: Rainer Toebbicke <rtb@pclella.cern.ch>
Reviewed-on: http://gerrit.openafs.org/1577
Tested-by: Rainer Toebbicke <rtb@pclella.cern.ch>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
(cherry picked from commit c4537f0442ac7ecbf8c946de45004992e17d535f)

Change-Id: Ia152db35b756abc3b3684194ea3c155f22fef537
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
(cherry picked from commit 9bd2fe688f3d1cea48a7d261db3bceed6a244a85)

diff --git a/src/afs/LINUX/osi_groups.c b/src/afs/LINUX/osi_groups.c
index fc82463d89e90a264d6af282a0ef6751240ef202..ee5437e8cd83a571d1514fcdd3bf3ffffd30084a 100644 (file)
--- a/src/afs/LINUX/osi_groups.c
+++ b/src/afs/LINUX/osi_groups.c
@@ -230,7 +230,7 @@ install_session_keyring(struct key *keyring)
 {
     struct key *old;
     char desc[20];
-    unsigned long not_in_quota;
+    int flags;
     int code = -EINVAL;
 
     if (!__key_type_keyring)
@@ -239,24 +239,31 @@ install_session_keyring(struct key *keyring)
     if (!keyring) {
 
        /* create an empty session keyring */
-       not_in_quota = KEY_ALLOC_IN_QUOTA;
        sprintf(desc, "_ses.%u", current->tgid);
 
+       /* if we're root, don't count the keyring against our quota. This
+        * avoids starvation issues when dealing with PAM modules that always
+        * setpag() as root */
+       if (current_uid() == 0)
+           flags = KEY_ALLOC_NOT_IN_QUOTA;
+       else
+           flags = KEY_ALLOC_IN_QUOTA;
+
 #if defined(KEY_ALLOC_NEEDS_STRUCT_TASK)
        keyring = key_alloc(__key_type_keyring, desc,
                            current_uid(), current_gid(), current,
                            (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL,
-                           not_in_quota);
+                           flags);
 #elif defined(KEY_ALLOC_NEEDS_CRED)
        keyring = key_alloc(__key_type_keyring, desc,
                            current_uid(), current_gid(), current_cred(),
                            (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL,
-                           not_in_quota);
+                           flags);
 #else
        keyring = key_alloc(__key_type_keyring, desc,
                            current_uid(), current_gid(),
                            (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL,
-                           not_in_quota);
+                           flags);
 #endif
        if (IS_ERR(keyring)) {
            code = PTR_ERR(keyring);