Solaris ssh pam_krb
Jeffrey Hutzelman
jhutz at cmu.edu
Mon Apr 3 17:04:00 EDT 2006
On Monday, April 03, 2006 02:08:46 PM -0500 Nicolas Williams
<Nicolas.Williams at sun.com> wrote:
> File descriptors in Solaris already retain a reference to the cred_t
> used to open the file. So "UID" or "PAG" is not relevant here. Neither
> is "processes with that UID or PAG." What is relevant is "references to
> that UID or PAG from cred_t instances."
Ah, yes. If open files reference the cred_t, and that has a reference to
the credentials (directly or indirectly), then you're fine.
> So does Solaris. I believe one must in order to support various
> standard behaviours (e.g., file descriptor passing over IPC +
> distributed filesystems [NFS, AFS, CIFS, whatever]).
Well, you need to do full refcounting for that, which we don't. In AFS, a
reference is held on a credential while it is actually being used to
establish a connection, but not otherwise. It's all mark-and-sweep,
because today's operating systems don't provide the sort of zero-reference
notification you're talking about.
> Right. But I'd like the OS to provide a "fall to zero refcount"
> facility for either "cred_t instances referencing some UID" or "cred_t
> instances referencing some PAG."
Why "either" and not "both"? For that matter, you could also do it for
references to GID's, though I don't see any particular use for that.
UID's and PAG's are very nearly orthogonal. In particular, it is _not_ the
case that all processes in the same PAG have the same UID - PAG membership
survives things like starting SUID binaries, which we consider a feature
(after all, it's part of the same session).
-- Jeff
More information about the Kerberos
mailing list