On Tue, Jul 27, 1999 at 11:14:19AM -0700, Bill Studenmund wrote:
> 
> I've snipped the initial quote, but I think it'd be fine for other users
> to access the portal mount. Just the portal daemon would run with either
> the initial user's credentials, or the intersection of the caller's and
> the mounter's credentials..

  Good!  The other thing is, what is the best way of figuring
out the intersection of the caller's and mounter's credentials?
I'm not very knowledgeable about euid's and egid's compared to
uid's and gid's.  I was thinking of just doing the following:

int lose_credentials(pcr)
  struct portal_cred *pcr;
{
  int errorcode=0;

  if (getuid() == 0) {
    /*  Do all the setuid/setgid/setgroups stuff, set errorcode.  */
    return errorcode;
  }
  /*  else, the mount process was not owned by root.  Only allow
   *  forward progress if we have a uid and gid match.  */
  if ((getuid() != pcr->uid) && (geteuid() != pcr->uid))
    return EPERM;
  if ((getgid() != pcr->gid) && (getegid() != pcr->gid))
    return EPERM;
  /*  Otherwise, we have a uid _and_ gid match!  Allow the access.  */
  return 0;
}

  In an _ideal_ world, if only the gid matched, we would do a
setuid() to nobody but keep the gid, and continue, but in the
real world, only root can setuid(nobody), right?  And, should
the kernel be figuring out the caller's euid and egid and
passing that in the credentials, also?

  Thanks for all the feedback, folks!

  Brian