Subject: Re: Process credentials change
To: Jason Thorpe <>
From: Bill Studenmund <>
List: tech-kern
Date: 07/10/2006 16:45:31
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Jul 10, 2006 at 03:45:49PM -0700, Jason Thorpe wrote:
> On Jul 10, 2006, at 3:30 PM, Bill Studenmund wrote:
> >I'm not sure about the cause&effect here. :-) I DO agree that we don't
> >want an lwp to change credentials in the middle of a systemcall. =20
> >However a
> >shared lock with upgrade to exclusive will also do that. :-)
> 1- Shared -> Exclusive "upgrades" are an icky concept that we happen =20
> to have in lockmgr(), but I would prefer we NOT proliferate.

I perhaps was sloppy with "upgrade." I specificaly meant a reader/writer=20
lock going from reader to writer mode. The exact "upgrade" behavior of=20
lockmgr isn't important to the issue.

My idea is that when we want to change the credentials, we would block new=
system calls until it's done; we have a lock go from reader mode to writer=
mode (change creds), then back to reader mode as all new users come in.

> 2- The key to scalability is to AVOID locking where you can.  Why =20
> block another thread that wants to change the process's credentials =20
> just because another thread in the same process is waiting for disk I/=20
> O?  You avoid contention for the lock when you have a nice short code =20
> path like this:

Depends on the semantics of credential changing w.r.t. threads. If we only=
promise that it applies to future system calls, then what you propose is=20
best. If we are instead promising that nothing is using credentials other=
than what we set to, then we need the blockage.

> void
> lwp_cache_creds(proc_t p, lwp_t l)
> {
> 	ocreds =3D NULL;
> 	mutex_lock(&p->p_cred_mutex);
> 	if (l->l_cred !=3D p->p_cred) {
> 		ocreds =3D l->l_cred;
> 		l->l_cred =3D p->p_cred;
> 		kauth_cred_retain(l->l_cred);
> 	}
> 	mutex_unlock(&p->p_cred_mutex);
> 	if (ocreds !=3D NULL)
> 		kauth_cred_release(ocreds);
> }
> ...and you don't have to take the lock again.
> Let's try and design for scalability NOW rather than have to retrofit =20
> it in later.

Agreed. Right now, I think the only question is what we are promising and=
what standards require.

> >But doing the above has an impact on changing credentials. We will =20
> >return
> >success on changing credentials before we've realy finished the =20
> >change.
> >Yes, we've put things in place so the NEXT system call will use the =20
> >new
> >creds, we are still using the old ones. If the unchanged LWP stays =20
> >in the
> >kernel "for a while", then we have a measure of shadiness.
> Assuming that an LWP entered the kernel with rights to perform an =20
> action, it stands to reason that it should be allowed to complete =20
> that action.

Agreed! We agree on this bit. The question really is if the change has to=
wait for other threads.

> >How do other OSs handle this? Do they care?
> I haven't looked into how the "change creds of the proc while threads =20
> are blocked in the kernel" aspect, but I know that Mac OS X 10.4 has =20
> per-thread credentials.  The AFP server uses this to ensure that =20
> requests are processed as the user logged into the session.

Oh, that'd be "interesting" if we don't just stay in the kernel since a=20
given userland thread can hop around LWPs. :-)

Take care,


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.3 (NetBSD)