[OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal
and MIT?
Todd M. Lewis
Todd M. Lewis" <utoddl@email.unc.edu
Wed, 29 Aug 2007 14:07:57 -0400
Russ Allbery wrote:
> [...] AFS uses keyrings on Linux and a loadable kernel module on other
> platforms that does nasty things to piggyback off of supplemental groups
> (something that I certainly wouldn't advocate as a good solution, but
> which has worked surprisingly well for many years).
It's not surprising from the standpoint that supplemental groups were
designed from the outset to accomplish exactly what PAGs need -- inherit
rights to access a restricted resource. Clever as keyrings and such are, a
simpler implementation would be to allow process to instantiate arbitrary
otherwise free supplemental groups and use them to restrict access to
keyrings, ccaches, etc. to those processes that are members of those
groups, and let the normal group inheritance mechanisms that have been
around forever do the Right Things. The unfortunate legacy of limiting
groups to stuff listed in /etc/groups has lead to a lot of convoluted
schemes (as this discussion avidly demonstrates) to accomplish basically
the same thing.
--
+--------------------------------------------------------------+
/ Todd_Lewis@unc.edu 919-445-9302 http://www.unc.edu/~utoddl /
/ Honk if you love peace and quiet. /
+--------------------------------------------------------------+