Subject: Re: kauth_cred_set* change proposal
To: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-kern
Date: 07/11/2006 20:03:22
--8t9RHnE3ZwKMSgU+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Jul 12, 2006 at 07:47:44AM +0900, YAMAMOTO Takashi wrote:
> > If we do add native support for PAGs, then we will need something like=
=20
> > what Jonathan was describing; one process, the credential updater, will=
=20
> > need to change the credentials for all processes in the same PAG. Thus =
a=20
> > process will need to make cred changes that all processes can see.
> >=20
> > As an aside, I really like PAGs and would love it if our kerberos used =
the=20
> > PAG as a ticket store.
>=20
> although i'm not sure if it's a good idea or not,
> i don't think my proposed change prevents storing "pag id" into kauth_cre=
d_t.
> after kauth_cred_setuid() "copy-on-write" a credential, both of
> new and old kauth_cred_t will keep the same "pag id".
Right. If all we do is add "PAG ID" to the kauth_cred_t, then everything=20
is fine.
As I think about it, even if/when we add more formal support for PAGs, we=
=20
probably still want kauth_cred_t to still contain a pointer/reference/id=20
to the PAG as opposed to the whole PAG. So this is fine.
Take care,
Bill
--8t9RHnE3ZwKMSgU+
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)
iD8DBQFEtGZ6Wz+3JHUci9cRAtd4AJ45LfG1oi1MpYn2iOhMkprinfjFIQCfZ8/8
yjvhkE+IK+Mcf7h7FrnAqO8=
=okbJ
-----END PGP SIGNATURE-----
--8t9RHnE3ZwKMSgU+--