[OpenAFS-port-darwin] Kerberos Plugin that calls a script (was Re: [OpenAFS-devel] aklog on MacOS X )
Henry B. Hotz
hotz@jpl.nasa.gov
Wed, 3 May 2006 12:22:36 -0700
The setuid should be done by the Authorization Services plug-in.
Apple acknowledges this is a bug. The Apple-published kerberos
example AS plug-in does it correctly.
Alexandra Ellwood of MIT has posted on OpenAFS lists that this is
necessary to get the Kerberos ccache associated with the correct
user. AFS is just a special case.
On Apr 26, 2006, at 9:01 AM, port-darwin-request@openafs.org wrote:
> So I fully support Bil's idea, I just am not yet sure that it is
> an apple blessed solution. Probably my solution of setuiding
> when ran as root at loginwindow time could couse some problems too,
> and probably isn't really the ultimate solution either. It just seems
> to work, too (and has done so for 10.3 too with the previous version
> of afslog.loginLogout).
If you want to play seteuid() games inside the loginLogout plugin I
can't see how that could break anything. If AS is doing the right
thing then it just won't work (and won't be necessary) I think.
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu