Subject: Re: integrating PAM
To: Dan Melomedman <firstname.lastname@example.org>
From: Greywolf <email@example.com>
Date: 01/24/2003 17:10:11
On Fri, 24 Jan 2003, Dan Melomedman wrote:
[DM: Bill Studenmund wrote:
[DM: > > 3) There's nothing preventing the authenticator from giving the kernel
[DM: > > some data before exec. Of course the standard method of passing data
[DM: > > from the authenticator to the final process is through env. This
[DM: > > however doesn't prevent you to pass data any other way, like a pipe, or
[DM: > > set some tokens before exec for your Kerberos or AFS in the kernelin my
[DM: > > understanding.
[DM: > It's not set some tokens before exec, it's set some tokens in the original
[DM: > process. It's already running, so do-before-exec actions won't help.
[DM: Okay then, what's preventing you from do-after-exec actions?
Please forgive me, but I can't believe I just read this.
Dan, this is the thing which has been plaguing UNIX for years: A child
process cannot modify its parent; in fact a process cannot modify another
already running process while it is running unless framework is built into
place to facilitate and both processes co-operate with each other, OR a
framework is built into the kernel to allow one process to arbitrarily
modify another process.
I'm sure that you can probably guess why the latter approach is
undesirable (hint: We would no longer be running UNIX).
[I'm also reasonably sure I saw a comment once, either on a man page
or in source code somewhere, which read:
"If a process could modify the environment of its parent,
none of this would be necessary."
But I can't find the reference, blast it. I'm also reasonably sure
that, while **environ was the reference, it holds true for any other part
of a process' data.]
NetBSD: The choice of hundreds worldwide.