[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: setpag switch for afslog?
I don't suppose anyone has thought about making the MacOSX client use
Mach Security context's as PAG's? (Since the hack used to implement
them on other Unix's doesn't work on OSX.)
At 9:55 AM -0600 2/23/04, Douglas E. Engert wrote:
>So the question to the AFS developers is:
> Is the use of the ktc_SetToken(...,setpag) to set the PAG of a parent
> going to continue to be supported in the future? Or should it be
>> Andrei Maslennikov <email@example.com> writes:
>> > Would it be possible to support similar functionality in Heimdal
>> > ("-setpag" switch, or function, or both)? It would simplify many
>> > things.
>> Yes, --setpag should be very possible. However, can the people the propose
>> using this tell afs implementors that its secure to do ?
>> I have not implemented --setpag functionality in arla because I'm not sure
>> its secure. Modify the parent(s) of a process seems like a recipe for
>> disaster unless its done very carefully.
>As you point out this is strange, a process modifying its parent. Considering
>all the discussion on Linux 2.6 kernel mods, maybe this should be dropped.
>I have also seen problems with it on some systems in the past.
>But it has proved to be very handy. Doing a klog -setpag user modifies the
>parent shell. (I know pagsh;klog could do something similar.)
>The one other place this is useful is that no AFS libs need to be linked
>to a daemon which needs to set a pag. This avoids conflicts and allows
>daemons to be built that can support AFS if its available. (PAM can also
>address this if the daemon uses PAM.)
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or firstname.lastname@example.org