Re: In-kernel Authentication Tokens (PAGs)

From: John Bucy
Date: Wed Jul 07 2004 - 13:57:47 EST

Next message: Marcelo Tosatti: "Re: Unnecessary barrier in sync_page()?"
Previous message: tom st denis: "Re: 0xdeadbeef vs 0xdeadbeefL"
Next in thread: Kyle Moffett: "Re: In-kernel Authentication Tokens (PAGs)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Speaking as a member of the AFS community, I'm thrilled to see this
coming along since PAGs are the major stumbling block for openafs in
2.6. I won't speak for Coda and NFSv4 but hopefully, this can help them
out as well.

The policy that a number of AFS people want is that (1) processes with
different UIDs can share the same keyring and that (2) a number of
processes with the same UID can opt not to share the same keyring. (1)
e.g. I have AFS creds (krb5 tickets) and want to run a setuid binary
with my creds. (2) e.g. I want to have a bunch of xterms some with
administrative rights and some with normal rights. Maybe I'm running
stuff out of cron or something under my UID that gets creds from a
ticket file, etc, and don't want it to interfere with my interactive use
of the machine.

>From my reading of the posts so far, it looks like (1) is no problem
since setuid() wouldn't touch the keyrings. I'm less sure about (2).
Does creating a new keyring (KEYCTL_NEW_RING) replace one of my existing
keyrings? Which one? To implement (2), do I need the ability to
explicitly zero-out some of my keyring associations?

john
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Marcelo Tosatti: "Re: Unnecessary barrier in sync_page()?"
Previous message: tom st denis: "Re: 0xdeadbeef vs 0xdeadbeefL"
Next in thread: Kyle Moffett: "Re: In-kernel Authentication Tokens (PAGs)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]