[OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?

Ken Hornstein kenh@cmf.nrl.navy.mil
Thu, 30 Aug 2007 21:42:39 -0400


>With other concerns understood, yeah, I think the process inheritance tree is 
>an OK model. It may very well warrant a kernel-supported implementation as 
>well, since userland (descriptor inheritance) can be derailed so easily. But if 
>you're going to the trouble of writing kernel code to implement it, do it 
>right. E.g., walking up the process tree when someone issues an ioctl on a 
>device is not going to give reliable answers. The ccache handles have to live 
>in the process' user struct so they are implicitly copied at fork() time. (At 
>least the setgroup() hacks got this right.)

Just so we're clear: I think a kernel solution is preferrable.  But I
was given the task to solve the problems associated with Kerberos tickets
on disk NOW, dammit, so cajoling various vendors into developing a solution
and waiting the couple of years it would have taken to get that into
their products was simply not an option.

--Ken