-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [EMAIL PROTECTED] wrote: > Author: gd > Date: 2007-03-20 12:44:40 +0000 (Tue, 20 Mar 2007) > New Revision: 21887 > > WebSVN: > http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=21887 > > Log: > Fix annoying bug where in a pam_close_session (or a pam_setcred with the > PAM_DELETE_CREDS flag set) any user could delete krb5 credential caches. > Make sure that only root can do this. > > Jerry, Jeremy, please check.
There are three places we use sys_getpeerid() that I can tell. (a) Jeremy's Domain Users hack for reporting group membership, (b) access to the ntlm_auth cache for applications like Firefox, and now (c) The capability to issue a logoff call. If we don't have getpeerid() I can loose the first two. No big deal. The problem I see with (c) is that if a platform does not support getpeerid() then you get init a user's krb5 ccache but never delete it. Which makes the feature asymetrical based on support for getpeerid(). Am I missing something here ? cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF/+ngIR7qMdg1EfYRAhArAJ9DTSiM/wWflGkVq3kf0jIwC2j4dACgkINs KunBqbQWkDYlMjC5yJ4ZJtY= =hNHM -----END PGP SIGNATURE-----