[OpenAFS-devel] fwd: [OT] Mailing list set up for discussion of kernel keyring implementation + util
Kyle Moffett
mrmacman_g4@mac.com
Wed, 24 Aug 2005 13:45:25 -0400
On Aug 24, 2005, at 13:08:23, Kevin Coffman wrote:
>> On Wed, 24 Aug 2005, Kevin Coffman wrote:
>>> It would be nice to have some discussion about how OpenAFS plans
>>> to use
>>> the keyring.
>>
>> As long as the discussion is clear from the start that we are
>> looking for
>> a session semantic, one where key access is not tied to a uid, but
>> instead
>> that the key can (and is) shared across uids if those uids are in
>> the same
>> session, and that a single uid may be in more than one disjoint
>> session.
>
> Yes, we want the same semantics as AFS/DFS for NFSv4 as well.
>
> I think the keyring code supplies enough rope to accomplish this.
Theoretically, the keyring code is extensible enough (and with enough
different
available inheritance semantics) that it could even be used to
implement fs-uid
for local filesystems: My processes (uid "kyle") could theoretically
have fs-id
keys for 0:0 on that local filesystem. suid/sgid gets a bit tricky
there, but
it should be possible to work out a sane semantic. You could even
probably do
linux capabilities as a key, except that currently the key code
relies on
capabilities to do some admin-level permission checking.
Cheers,
Kyle Moffett
--
Premature optimization is the root of all evil in programming
-- C.A.R. Hoare