porting CCAPI to UNIX

Ken Hornstein kenh at cmf.nrl.navy.mil
Tue May 8 15:01:44 EDT 2007

>> I don't see how that would work.  How would I store Kerberos credentials
>> inside of a PAG?  (Given my client base I can't assume AFS is available).
>Associate the credential cache with the PAG, the way AFS does.

Ummm ... yeah?  How do I do that as a userspace process?  I don't have
the luxury of being in the kernel like AFS does.

>Why do you need to restrict the daemon to clients in the same session?

It's not necessary that the daemon be restricted, per se ... like you
surmise, it's just that I want to insure that only processes within the
same session have access to that session's credentials.  What I _don't_
want is processes that have the same Unix userid but are in a different
session being able to access these credentials.

I looked into this, but given that requiring OpenAFS is not an option I
cannot see a way of doing this on a portable manner.  When you're doing
Unix IPC the best you can get is Unix userid and group membership of
the peer.  Perhaps if, like you said, the task ID was included in the
ucred structure that would be sufficient at least for Solaris ... but
your implication is that currently it does not (I guess the version of
Solaris I am using is too old; it lacks door_ucred()).  So the only
solution I could come up with was restricting access to the credential
cache server itself ... and that's how I came up with the current scheme.

Why I want these security semantics is a long story, but it's the
result of hard-learned lessons.  I can share the whole saga over a
beer sometime if you like.


More information about the krbdev mailing list