[ On Tuesday, September 24, 2002 at 17:37:33 (-0400), Ken Hornstein wrote: ]
> Subject: Re: PAM 
>
> >I can't see why it can't be done. Maybe because I am not familiar with
> >kerberos or AFS. e.g., a parent loads credentials into a known file
> >descriptor - 3, then fork/execs a child process which reads these.
> >Or this won't work either with AFS for some reason?
> 
> In the AFS case, you need to add groups to the process context (and place
> the Kerberos ticket into the kernel in that process context).

It is very trivial for an open-source system to design a clean and
simple syscall API to do this from a sufficiently privileged child or
server process.

The PAGid really shouldn't be stored in the groups list either.  That's
a really bad and ugly hack.  It's trivial to give it a proper place in
the proc structure and to arrange for fork() to copy it to the child.
There was some discussion about how to do this in one of the FreeBSD
lists a number of years ago.  Others have discussed and demonstrated
working implementations of similar ideas for other operating systems as
many as five years ago too.

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>