Subject: Re: PAM
To: NetBSD-current Discussion List <firstname.lastname@example.org>
From: Love <email@example.com>
Date: 09/25/2002 19:28:02
firstname.lastname@example.org (Greg A. Woods) writes:
> For "bit-rotting research projects" I suspect you're referring to Robert
> Watson's experimental implementation of a new design in FreeBSD (and
> perhaps Linux too?):
With the exception that this still requires PAM since there is no way to
modify another process's pag.
> Watson does also advocate PAM, it's not a fundamental part of the design
> he promotes.
It is, since there is no set_pag_for_pid() in his api.
> Douglas Engert has also implemented some interesting ideas in this area:
Same thing here.
Modifying all programs (adding setpag()) that needs to create a new pag
sucks big time.
> The basic idea though is trivial. Keeping the PAG directly in the proc
> structure where it should have been put in the first place instead of
> over-loading the group list, and allowing a child process, or even a
> sufficiently privileged random "unrelated" process, to set the PAG for a
> given process is only a SMOP. :-)
Groups are stored of the proc structure. In AFS there is a setpag syscall
that is unrestricted. The only problems I see with using the groups as pag
is that you have to hook setgroups. This makes it a evil hack that should