Solaris ssh pam_krb
Nicolas Williams
Nicolas.Williams at sun.com
Mon Apr 3 17:06:58 EDT 2006
On Mon, Apr 03, 2006 at 05:04:00PM -0400, Jeffrey Hutzelman wrote:
> On Monday, April 03, 2006 02:08:46 PM -0500 Nicolas Williams
> <Nicolas.Williams at sun.com> wrote:
> >Right. But I'd like the OS to provide a "fall to zero refcount"
> >facility for either "cred_t instances referencing some UID" or "cred_t
> >instances referencing some PAG."
>
> Why "either" and not "both"? For that matter, you could also do it for
> references to GID's, though I don't see any particular use for that.
OK.
> UID's and PAG's are very nearly orthogonal. In particular, it is _not_ the
> case that all processes in the same PAG have the same UID - PAG membership
> survives things like starting SUID binaries, which we consider a feature
> (after all, it's part of the same session).
But you may want to place access controls on PAG associations.
Nico
--
More information about the Kerberos
mailing list