[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netbsd-current-users
Subject:    Re: Long-running procs, was BSD Authentication
From:       Bill Studenmund <wrstuden () NetBSD ! org>
Date:       2003-08-29 22:56:17
[Download RAW message or body]

On Fri, 29 Aug 2003, Joerg Sonnenberger wrote:

> On Thu, Aug 28, 2003 at 10:15:44AM -0700, Bill Studenmund wrote:
> > So while yes there are other ways to do this, they all strike me as uglier
> > or scarier than what AFS is doing. I don't want any(*) other program able
> > to see my process's credential cache or able to touch it. Not even
> > anything owned by root. (*) unless the two processes are inherited from
> > the same login and are thus using the same cache. :-)
>
> That has scheme has the advantage of being simple to implement with a small
> kernel footprint and works well with PAM-like authentication. It has it flaws
> too. The most important problem arises with long-running processes. You cannot
> renew the token e.g. of a daemon process without entering its domain.
>
> Think about it. If you have the possibility to alter (not read!) the credentials
> associated with a process, BSD auth can be used with AFS and kinit works too.

I think long-running process questions are beyond the scope of this
thread.  All the ones I'm familiar with know that they are long-running
apps that need re-authenticating. Since it is possible to make daemons
that handle re-authenticating, I think it's easier to just go with that
rather than come up with a reach-over cache modification ability.

Take care,

Bill

[prev in list] [next in list] [prev in thread] [next in thread]