>>>>> "Rick" == Rick Macklem <[EMAIL PROTECTED]> writes:
Rick> A gssd daemon for nfs needs to get Initiator Credentials for
Rick> different users (principals), so that it can do a
Rick> gss_init_sec_context() for that principal. To get Initiator
Rick> credentials, it must use the cred. cache file for that
Rick> uid. Normally, a process would be that effective uid and
Rick> everything would work. (The problem with doing that in this
Rick> case is that a new daemon process would have to be forked
Rick> for each request, so it could setuid() and then exit after
Rick> getting the security context.)
Why do you need to fork to seteuid? You really want to open the cred
cache file as the effective uid of the user or you risk significant
security problems.
I'd recommend using the environment variable. That should work fine
with MIT Kerberos 1.3.3 provided that you call gss_acquire_creds after
changing it in your application or call gss_init_sec_context with
GSS_C_NO_CREDENTIAL.
The first gss_init_sec_context call needs to be done with your euid
set to the euid of the cache file.
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
