<<On Mon, 24 Jul 2006 10:58:39 -0400, Jeffrey Hutzelman <[EMAIL PROTECTED]> said:
> The 8 bits aren't about indicating that the group encoding is valid; > they're not even encoded. They're about distinguishing PAG's from UID's in > all the _other_ places where they appear. There's another way to handle this, though: never let anything other than a PAG appear. I don't have the source code in front of me at the moment, but my recollection is that UIDs show up when the "look up a PAG for this credential" operation returns NOPAG. If that operation can never fail in this way (by, for example, lazily associating a fake PAG with every UID) then no such confusion can occur. Some operating systems may provide an efficient means for doing this, so it makes sense to me to do the PAG-based versus UID-based context handling in this way. (Implementing this as a TrustedBSD MAC policy, for example, should be fairly easy and provide all the expected semantics.) -GAWollman _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
