It the system supports PAM, it could address (1) and (4) The PAG could be obtained in PAM, as long as the PAM routine is called from a process that will become the user's shell, or one of its parents. (This is related to the privsep problems. You indicate below that it is fixed) And do to the way PAGs are implemented, it needs to be done after the groups are set by a daemon.
Uh, no it doesn't. That's why we trap setgroups().
If it's only the GIDs, would it be possible for a daemon to exec some kind of helper app, (something like klog -setpag, I guess), which returns those GIDs on its stdout for the daemon to add to the user's groups?
Yes and no. Yes, it's only the GID's, but no, that's an implementation detail and exposing it to something like ssh would be a significant abstraction violation. It also wouldn't work, since once you have a pag you cannot change it by calling setgroups().
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA
_______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
