[OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?
Ken Hornstein
kenh@cmf.nrl.navy.mil
Thu, 30 Aug 2007 21:42:39 -0400
>With other concerns understood, yeah, I think the process inheritance tree is
>an OK model. It may very well warrant a kernel-supported implementation as
>well, since userland (descriptor inheritance) can be derailed so easily. But if
>you're going to the trouble of writing kernel code to implement it, do it
>right. E.g., walking up the process tree when someone issues an ioctl on a
>device is not going to give reliable answers. The ccache handles have to live
>in the process' user struct so they are implicitly copied at fork() time. (At
>least the setgroup() hacks got this right.)
Just so we're clear: I think a kernel solution is preferrable. But I
was given the task to solve the problems associated with Kerberos tickets
on disk NOW, dammit, so cajoling various vendors into developing a solution
and waiting the couple of years it would have taken to get that into
their products was simply not an option.
--Ken