[OpenAFS-port-darwin] Kerberos Plugin that calls a script (was Re: [OpenAFS-devel] aklog on MacOS X )
Ben Poliakoff
benp@reed.edu
Mon, 24 Apr 2006 10:25:02 -0700
* Ragnar Sundblad <ragge@nada.kth.se> [20060423 13:05]:
>
> On 21 apr 2006, at 21.05, Ben Poliakoff wrote:
>
> >* hays@ibiblio.org <hays@ibiblio.org> [20060421 07:40]:
> >
> >>Use at your own risk, and if you do use it, please let me know
> >>what you
> >>think:
> >>
> >><http://www.ibiblio.org/macsupport/kerberos/10.4/
> >>afslogscript.loginLogout-0.0.1b2-src.tgz>
> >><http://www.ibiblio.org/macsupport/kerberos/10.4/
> >>afslogscript.loginLogout-0.0.1b2.tgz>
> >>
> >
> >I've tried it. It seems to work as advertised.
> >
> >With the acknowledged caveat that executing shell commands *is* a bit
> >of a security risk, this approach certainly gives the admin some nice
> >flexibility (it can be used with OpenAFS or Arla). What do others
> >think?
>
> Actually, my plugin works with both OpenAFS and Arla too (see below).
> But Bil's approach may be better, it is probably less sensitive to
> the changes in the kerberos/afs/whatever environment that happens every
> now and then (but hopefully should occur less frequently one Mac OS X
> now with the KPIs in place).
I admit to coming into this conversation mid-stream. I hadn't actually
looked at your (Ragnar) plugin until a few moments ago. I see now that
you've taken great care in making your plugin work with both OpenAFS and
Arla.
> I am not yet completely sure that it is a good idea to run subprocesses
> to the kerberos lib, eventhough it seems to work. Maybe we could/should
> somehow get Apples to say that it is ok.
>
> /ragge
We're certainly left entertaining solutions that run subprocesses,
given the volatility of Apple's kernel interfaces over the last few
releases. A plugin that doesn't run arbitrary shell processes is a
lot more elegant, but is also harder to maintain. But as you say, the
new KPIs should help (and hopefully will be maintained for a good long
while).
Ben