Using thread-specific credentials on Linux in Samba with glibc.

Jeremy Allison jra@samba.org
Mon Jul 2 16:17:00 GMT 2012


Hi glibc-help - Jeremy Allison of Samba here,

Samba is currently a single-threaded process that can
use pthreads for some very specific functions. I'm looking
to expand that use, and to make this more useful to us.
glibc can help (with no code change :-).

The Linux kernel makes no distinction between threads
and processes with respect to setting credentials.
So making the raw setresuid() system call sets the
real, effective and saved-set userids only for the
calling thread - the same with all the other credential
changing system calls.

However, calling setresuid() via glibc does more than
this, as glibc on Linux has to maintain per-process
credentials. I spent many a happy hour reading through
the glibc source code learning how this was implemented
internally, and it's really very clever stuff :-).

However, it's not really what I need for Samba.

Having per-thread credentials on Linux is really
useful for Samba as it allows us to take advantage
of some significant optimizations in IO, without
having to fork() new processes in order to get
the required separation of credentials. I've been
able to see a 5-10x speedup on certain operations
by using threads here to increase the parallelization
when processing filesystem calls from multi-threaded
client Windows applications.

Happily, this doesn't require any changes in
glibc, as I have wrappers for all the credentials
changing code in Samba that I just redirect to
change from doing something like:

ret = setresuid(ruid, euid, suid);

to:

ret = syscall(SYS_setresuid, ruid, euid, suid);

and everything still works (modulo 32-bit/64-bit
call differences of course :-).

So my question is - can we rely on glibc not to
break our usage of this in the future ? One of
the Samba developers is paranoid about glibc breaking
this ability by changing the syscall() call on
Linux to prevent this, and he would like some reassurance
that we can rely on this remaining possible in future
versions of glibc on Linux.

I'm hoping this would be an easy promise to make, as
breaking it would also break the code inside glibc that
implements the per-process credential requirement for
POSIX, but I promised him I'd make the request of the
glibc maintainers to get some feedback.

Thanks very much for your time !

Cheers,

Jeremy Allison,
Samba Team.



More information about the Libc-help mailing list