Subject: Re: integrating PAM
To: Dan Melomedman <>
From: Greywolf <>
List: current-users
Date: 01/24/2003 17:10:11
On Fri, 24 Jan 2003, Dan Melomedman wrote:

[DM: Bill Studenmund wrote:
[DM: > > 3) There's nothing preventing the authenticator from giving the kernel
[DM: > > some data before exec. Of course the standard method of passing data
[DM: > > from the authenticator to the final process is through env[]. This
[DM: > > however doesn't prevent you to pass data any other way, like a pipe, or
[DM: > > set some tokens before exec for your Kerberos or AFS in the kernelin my
[DM: > > understanding.
[DM: >
[DM: > It's not set some tokens before exec, it's set some tokens in the original
[DM: > process. It's already running, so do-before-exec actions won't help.
[DM: Okay then, what's preventing you from do-after-exec actions?

Please forgive me, but I can't believe I just read this.

Dan, this is the thing which has been plaguing UNIX for years:  A child
process cannot modify its parent; in fact a process cannot modify another
already running process while it is running unless framework is built into
place to facilitate and both processes co-operate with each other, OR a
framework is built into the kernel to allow one process to arbitrarily
modify another process.

I'm sure that you can probably guess why the latter approach is
undesirable (hint:  We would no longer be running UNIX).

[I'm also reasonably sure I saw a comment once, either on a man page
or in source code somewhere, which read:

	"If a process could modify the environment of its parent,
	 none of this would be necessary."

But I can't find the reference, blast it.  I'm also reasonably sure
that, while **environ was the reference, it holds true for any other part
of a process' data.]

NetBSD: The choice of hundreds worldwide.