Samuel Thibault, le Wed 18 Jun 2008 12:56:53 +0100, a écrit : > Neal H. Walfield, le Wed 18 Jun 2008 13:43:41 +0200, a écrit : > > At Wed, 18 Jun 2008 12:41:48 +0200, > > Neal H. Walfield wrote: > > > > > > At Wed, 18 Jun 2008 12:20:10 +0200 (CEST), > > > Arthur de Jong wrote: > > > > > One question you should consider is: why do you need this information? > > > > [...] > > > > > > > > I agree with your point in general and think there are better ways to > > > > do access control. > > > > > > > > nss-ldapd is an NSS module that does lookups in an LDAP database. The > > > > NSS > > > > module does not do the lookup itself (this causes a lot of headaches) > > > > but > > > > offloads it to a deamon (nslcd). Most NSS calls should be no problem > > > > but > > > > shadow calls pose an exception to that. The server (nslcd) will only > > > > return shadow information if it can determine that the caller runs as > > > > root. > > > > > > > > So I would like to keep one socket for all requests and not mess with > > > > permissions of sockets. > > > > > > Sounds broken. Good luck. > > > > That wasn't very helpful. If you are dead set on using IBAC, you > > could use the auth protocol to establish the identify of the client. > > The interface is described in auth/auth.defs . > > Well, I guess he doesn't have a running Hurd system. > > Actually I guess we could easily add SO_PASSCRED to pflocal sockets, by > using auth_user_authenticate/auth_server_authenticate indeed.
(I mean SO_PASSCRED and then use SCM_CREDENTIALS to pass credentials through the socket) Samuel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
