Hi Chas! On 9 Aug 2006, at 18:16, chas williams - CONTRACTOR wrote:
In message <[EMAIL PROTECTED] muenchen.de>,RolOkay, so PAG reuse should not be an issue, right? :-) If you do "unwise things", you get to keep the pieces.and Kuhn writes:You got me curious. I should probably watched this thread more closely and maybe it would then be clear to me: Why should userspace ever see a PAG identifier? What should it be able to do with it?ideally, the userspace would be unaware of the pag and/or be able to read/write it. however, pags were stored in the group list which was the only thing available at the time. so users could see the pag and do unwise things. only root can change the group list so this atleast kept ordinary users from manipulating their group list.
with the keyring, the pag is stored in the users session keyring. so theuser can see the pag, but not its value (since the key doesnt have a read/update entry point).
Why is it necessary to identify a PAG by something else than the equivalent keyring? Forgive my ignorance about keyring internals, but I would imagine that a PAG is represented by processes holding a reference to a certain keyring, which in turn contains an authentication token for AFS.
so the current keyring implementation is closeto what would be ideal (with some exceptions regarding session managment when sharing with other keyring users). right now the keyring code puts back the pag groups but there is no paritcular reason for this. its just compatibility -- people expect to see the pag groups in the group list.
Well, _some_ do. Others don't. It's an idiosyncrasy which some people got used to.
Ciao,
Roland
--
TU Muenchen, Physik-Department E18, James-Franck-Str., 85748 Garching
Telefon 089/289-12575; Telefax 089/289-12570
--
CERN office: 892-1-D23 phone: +41 22 7676540 mobile: +41 76 487 4482
--
Any society that would give up a little liberty to gain a little
security will deserve neither and lose both. - Benjamin Franklin
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GS/CS/M/MU d-(++) s:+ a-> C+++ UL++++ P+++ L+++ E(+) W+ !N K- w--- M
+ !V Y+
PGP++ t+(++) 5 R+ tv-- b+ DI++ e+++>++++ h---- y+++ ------END GEEK CODE BLOCK------
PGP.sig
Description: This is a digitally signed message part
