David Howells <[EMAIL PROTECTED]> writes: > (2) Add a flag to either a keyring or the link to it from the session > keyring such that they can be marked for linking through into to a SUID > binary's new session keyring. > As long as this inheritance works for _anything_ (except newpag()) that a process might do, this might work for us. From earlier in this thread:
> I'd say that my id(s) for the distributed system(s) don't necessarily > have anything to do with my local uid, so changing uid shouldn't affect > my creds for the distributed system(s). Just like doing kinit shouldn't > affect my local uid. I can say that being forced to reauthenticate (or > similar) to be able to run my scripts in AFS every time I run sudo > would be annoying. > lpr, sendmail, or other apps that are setuid for local storage but need access to your credentials to talk to a network server Is this a reasonable request? I would probably make it a key flag (rings behave like keys too, right?). > (3) Instead of searching the UID and GID rings directly, when a new session > ring is created the appropriate UID and GID rings are linked into it > automatically. They can be later unlinked if that is desirable. > So who is allowed to unlink it? Is it still possible to override individual uid ring keys in the session ring? > (5) On SUID exec, I'm tempted to link the old session keyring to the > process's new session keyring, marking it for unlinking on further exec. > Why? Scenario? /Tomas _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
