>I can't see why it can't be done. Maybe because I am not familiar with
>kerberos or AFS. e.g., a parent loads credentials into a known file
>descriptor - 3, then fork/execs a child process which reads these.
>Or this won't work either with AFS for some reason?

In the AFS case, you need to add groups to the process context (and place
the Kerberos ticket into the kernel in that process context).

In the Kerberos case, you need to write out your credentials to a file,
and then set an environment variable so the other applications can find
the credentials.

>> Nope. While OK/FAIL will go a long way, there are a number of auth systems
>> it won't do. And that's the whole point above. For those systems, AFS in
>> particular, you also have to load credentials (make syscalls()) IN THE
>> AUTHENTICATED PROCESS.
>
>Could it be those systems need a redesign for simplicity's sake?

Well, I'll be interested in seeing your redesign ... but I'm not holding
my breath that they're going to end up being simpler (to solve the problems
that you need to solve, I'm not sure how much simpler you could make them).

--Ken