[OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?

[u+openafsdev-sr55@chalmers.se]

Hi Henry,

On Thu, Aug 30, 2007 at 01:00:20PM -0700, Henry B. Hotz wrote:
> Everyone's entitled to an opinion as long as they realize they're  
> wrong if they disagree with mine.  ;-)

:) sure.

> The basic *nix design was oriented toward single multiuser machines.   
> The uid is completely useless as a credential for accessing network  
> resources.  Perhaps PAGs contradict the design, but that's because  
> the design is not applicable.  Obviously that has user-visible  
> effects, but I see no issue there except that the user needs to learn  
> the difference.  (Or are you proposing that Unix should be updated to  
> use a network-verifiable identity in place of the uid?)

Exactly the other way around, actually.

I would argue for connecting each network identity to a different
local uid, this is more or less the only implicitely "safe" identity scope
on a *nixish system.

With other words, if a person happens to use several network
identities, the corresponding processes should have different local uids.
Data flow between those identities then has to be explicit
and the level of protection/isolation can correspond to the actual task's needs
(e.g. using local common file areas with properly chosen modes).
[the actual uid allocation method is irrelevant as long as uids are not shared
by different identities. I'm using static allocation, it can be done
dynamically as well]

Given the above I am fine with Kerberos credentials
in a local file protected by the ancient "owner" and mode bits.

Best regards
Rune