Fedora ticket cache location
Nico Williams
nico at cryptonector.com
Thu Jun 7 17:33:17 EDT 2012
On Thu, Jun 7, 2012 at 4:24 PM, Russ Allbery <rra at stanford.edu> wrote:
> Nico Williams <nico at cryptonector.com> writes:
>> When is inheritance NOT desirable?
>
> Apache, for one obvious example. I may have credentials for the LDAP
> client module in Apache, but I don't want those inherited by CGI scripts.
> Of course, that basically argues for creating new sessions when spawning
> CGI scripts (but that isn't what happens now).
If these scripts inherit the same privileges as Apache then I don't
see why not inherit krb5 credentials by inheriting Apache's session.
OTOH, if they don't inherit credentials, e.g., because Apache does a
fork() and setuid() prior to exec()ing the scripts, then I think we
have a way to tell when sessions should not be inherited. Note that
PAGs don't get inherited across initgroups(3C) calls on systems where
PAGs are implemented by stealing the last two supplementary groups and
part of the GID namespace. (My old CPG proposal covered this,
incidentally.)
> If everything that didn't want inheritance created new sessions, I think
> sessions would give me what I want. I'm a bit dubious that we can patch
> everything to do that, though.
Right, no, we need fairly automatic semantics.
The Solaris SMF system depends on process contracts, and you can only
create new contracts by placing the
next-to-be-created-from-this-thread process, which is done by setting
a contract template that the next fork(2) call then applies. This is
both easy to apply to existing APIs that create processes
(posix_spawn(), say), and also inexact (how many fork()s will whatever
API you're targeting do?). Also, it's not easy to use, but that could
be improved. There may be something to be learned from this...
Nico
--
More information about the krbdev
mailing list