[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Does PAC Validation Require External Communication?
On Tue, 15 May 2007 01:00:42 -0400
Love Hörnquist Åstrand <firstname.lastname@example.org> wrote:
> > Just in case Love suddenly get's inspired by all of this - rather than
> > requiring a specific process model, I would like to see just a socket
> > descriptor and a function to process the server side so that I can use
> > it with existing muxer code. I don't want to crap up my process table
> > with daemons. Also, the IPC should be well defined and simple so that
> > I can go that low if I want.
> Splitting out the work of krb5_rd_req have been on the TODO list for
> some time now.
> Forking and execing a suid binary is one one, talking to an existing
> processes another over IPC. Using IPC is probably prefered since fork
> ()ing inside a lib is icky to say the least (stray SIGHLD,
> interesting fd's all over the place, etc).
> it I was to write it it would write both ends and make a libkrbrdrep
> that a service lib winbind or kcm could link with to provide the
> funktionallity with an simple entry point (or two).
Excellent. Sounds good.
And I agree about not forking. Mostly because it's just not necessary
- the application is in a much better position to know how to run the
service routine that accepts and processess these types of privileged
requests. Of course it wouldn't hurt to also provide a little server
program that calls the service routine that someone can run as root