--=-=-=


YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp> writes:

> do you mean to put AFS remote (on-wire or server-side or whatever)
> credential into kauth_cred_t?
> isn't it a matter of mapping between local and remote credentials,
> which should be handled by AFS client, not kauth?
>
> (sorry, i have no idea how AFS works.)

AFS introduces the concept of PAG (process authentication group).

You can change your PAG with the setpag system call. When you insert afs
credentials into system, they are indexed on the PAG. When there isn't a
pag, uid is used to find the credential.

You can't leave a pag, just change to a new PAG.

A PAG doesn't change with setuid()/setgid().

For the begining it was to allow setuid lpr to read the users file, but its
more useful that then. For example, consider haveing two xterms, one for
administrations and one for accessing files as a normal user.

Now, the requirements on kauth_cred_t for the two afs clients that exists
today is a diffrent issue.

Love


--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iQIVAwUARLOuFRZyDLTSep3UAQIVYw//QDxPfHOnAF0xdzhQRr1aDoSLW16r+1X5
JuSVSBbZJbzKgFHPRgylAe5ClT0xaO4WUINnozL0Xmd5U2qrNfcs5BB1wdmy0/RK
E7TGGhXoq7uxXFTpKGwHas0NgaOv9g8XNrE9NreWdbRzijW7k71tJWsMHjqCJSq1
+w20pLuLAluZopisaqxcYBx2mFWx5zDy39JvnktNudfTX3gS1sYACR4BZ6wxry6z
gYq81JmBrWoFMdGFl4araAokIOHFTy5PzzyWtACIHgdFMTGds3y08TsSXcBnCLrp
DkLIsbTOSwncb8r7/qKuT7bDvw0kVG7Mr/t2CAIbYT1Mz6jQqEbr2o8DIos7Dz7u
J073zQSVRzHhA22uHW3rPaENyCI5JYnvyMOyfD/DMymBP4WAGEiyUylcjvyQXfww
ZBWJKE7+RsAhG5pPvS/DBO95R2U48ixAKEKveB8kw92LttwqKT+dGCmBfx2Eu3/I
FrQCP2Y0cS6tGVERB+h3obZL0XisdAlPzFXY+m/PFfCxp2ygugSgSkjFiZyNArjl
cxlqD/NkIeAyHfviXdDX3FEE0tT+10qlHkVOTNgiWeL4FAOgJa9G8uxDwzVwTw0I
zE7P8micNpQ2+sNQzgml2IA6oX2Du/g80WrL2ydsfLmDUFubPFy6Fr3nyIhwIONu
1JiavljJd3U=
=d5qg
-----END PGP SIGNATURE-----
--=-=-=--