[OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?

[Russ Allbery]

Howard Chu <hyc@highlandsun.com> writes:

> Of course there's a flaw in both this daemon idea and in Michael's ioctl
> idea - if a process's parent exits, the child becomes owned by process
> 1, so you can't rely on walking up the process tree to find a parent
> ccache. The only sure thing is descriptor inheritance, and that only
> works if a particular process doesn't stomp on the descriptor before
> spawning any children.

And, indeed, one site implemented a ticket cache using file descriptor
inheritance many years ago and is using it to this day.  However, having
talked to the developer of that code, there are other problems.  Mostly,
there's a lot of code out there that gets really happy about closing file
descriptors even when you don't want it to, and in some cases they even
had to hack around libc functions on some platforms that did so.

It does seem to work, but it's not very pretty and requires maintaining
workarounds for stupid code.

There's also the AFS and NFSv4 problem, where you want to have credentials
associated with file system accesses that are mediated by the kernel and
the kernel then needs to map a given user process to a credential cache.
NFSv4 uses, I believe, a callback to a userspace daemon that does really
ugly things like searching through /tmp for an appropriately-named ticket
cache.  AFS uses keyrings on Linux and a loadable kernel module on other
platforms that does nasty things to piggyback off of supplemental groups
(something that I certainly wouldn't advocate as a good solution, but
which has worked surprisingly well for many years).

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>