[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OpenAFS-devel] Re: MEMORY credential cache interop between Heimdaland MIT?

To: heimdal-discuss@sics.se, Ken Hornstein <kenh@cmf.nrl.navy.mil>
Subject: Re: [OpenAFS-devel] Re: MEMORY credential cache interop between Heimdaland MIT?
From: Howard Chu <hyc@highlandsun.com>
Date: Fri, 31 Aug 2007 06:06:48 -0700
In-Reply-To: <200708311247.l7VClLvY005922@ginger.cmf.nrl.navy.mil>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <200708311247.l7VClLvY005922@ginger.cmf.nrl.navy.mil>
Reply-To: heimdal-discuss@sics.se, Howard Chu <hyc@highlandsun.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9a8pre) Gecko/2007082216 SeaMonkey/2.0a1pre

Ken Hornstein wrote:
>> Again, I don't understand _why_ a kernel solution is preferable.  Why
>> tart up the kernel with a bunch of junk code (which from my point of
>> view is _precisely_ what the "magic groups" PAG implementation does)
>> when the inheritance semantics of MAP_ANON mmap mappings are already
>> exactly what you want?
> 
> A couple of reasons from my point of view.  None of them are exactly very
> strong:
> 
> - I don't see how to do locking of the mmap()'d region in a reasonable
>   manner.  My issue with Sys V semaphores is that they don't clean themselves
>   up.  I could use a shared descriptor to coordinate access ... but that
>   gets back to all of the other problems with shared descriptors.  I imagine
>   you could come up with some scheme, but I think it would be a bit hinky
>   and not cover all of the corner cases.

Right, so use POSIX semaphores instead.
> 
> - There is from what I see not a wonderful way to share that memory location
>   to decendant processes.  I guess putting the memory address in an environment
>   variable is probably no worse that what is done today (I guess you'd
>   have a KRB5CCNAME variable that looks like "MMAP:0x12345678").

mmap'd regions are dropped on exec. You still need to inherit the descriptor so 
that any interested process can re-map the region. Which is why I originally 
suggested passing the descriptor number in the environment variable (optionally 
along with the filename, in case you still wanted to allow other processes with 
the correct uid to be able to use the creds).

The only real difference between the mmap idea and the descriptor-inheritance 
ccache that it appears you've already written is that this one requires an 
extra step (mmap) but then makes accessing the credentials a little simpler 
(since you can just walk through memory instead of having to read/parse a file).
-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/

Follow-Ups:
- Re: [OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Ken Hornstein <kenh@cmf.nrl.navy.mil>

References:
- Re: [OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Ken Hornstein <kenh@cmf.nrl.navy.mil>

Prev by Date: Re: [OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?
Next by Date: Re: [OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?
Prev by thread: Re: [OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?
Next by thread: Re: [OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?
Index(es):
- Date
- Thread