Russ Allbery wrote:
[...] AFS uses keyrings on Linux and a loadable kernel module on other platforms that does nasty things to piggyback off of supplemental groups (something that I certainly wouldn't advocate as a good solution, but which has worked surprisingly well for many years).
It's not surprising from the standpoint that supplemental groups were designed from the outset to accomplish exactly what PAGs need -- inherit rights to access a restricted resource. Clever as keyrings and such are, a simpler implementation would be to allow process to instantiate arbitrary otherwise free supplemental groups and use them to restrict access to keyrings, ccaches, etc. to those processes that are members of those groups, and let the normal group inheritance mechanisms that have been around forever do the Right Things. The unfortunate legacy of limiting groups to stuff listed in /etc/groups has lead to a lot of convoluted schemes (as this discussion avidly demonstrates) to accomplish basically the same thing.
-- +--------------------------------------------------------------+ / [EMAIL PROTECTED] 919-445-9302 http://www.unc.edu/~utoddl / / Honk if you love peace and quiet. / +--------------------------------------------------------------+ _______________________________________________ OpenAFS-devel mailing list OpenAFS-devel@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-devel
