Howard Chu <[EMAIL PROTECTED]> writes: > Of course there's a flaw in both this daemon idea and in Michael's ioctl > idea - if a process's parent exits, the child becomes owned by process > 1, so you can't rely on walking up the process tree to find a parent > ccache. The only sure thing is descriptor inheritance, and that only > works if a particular process doesn't stomp on the descriptor before > spawning any children.
And, indeed, one site implemented a ticket cache using file descriptor inheritance many years ago and is using it to this day. However, having talked to the developer of that code, there are other problems. Mostly, there's a lot of code out there that gets really happy about closing file descriptors even when you don't want it to, and in some cases they even had to hack around libc functions on some platforms that did so. It does seem to work, but it's not very pretty and requires maintaining workarounds for stupid code. There's also the AFS and NFSv4 problem, where you want to have credentials associated with file system accesses that are mediated by the kernel and the kernel then needs to map a given user process to a credential cache. NFSv4 uses, I believe, a callback to a userspace daemon that does really ugly things like searching through /tmp for an appropriately-named ticket cache. AFS uses keyrings on Linux and a loadable kernel module on other platforms that does nasty things to piggyback off of supplemental groups (something that I certainly wouldn't advocate as a good solution, but which has worked surprisingly well for many years). -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-devel mailing list OpenAFS-devel@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-devel
