Hi Henry, On Thu, Aug 30, 2007 at 01:00:20PM -0700, Henry B. Hotz wrote: > Everyone's entitled to an opinion as long as they realize they're > wrong if they disagree with mine. ;-)
:) sure. > The basic *nix design was oriented toward single multiuser machines. > The uid is completely useless as a credential for accessing network > resources. Perhaps PAGs contradict the design, but that's because > the design is not applicable. Obviously that has user-visible > effects, but I see no issue there except that the user needs to learn > the difference. (Or are you proposing that Unix should be updated to > use a network-verifiable identity in place of the uid?) Exactly the other way around, actually. I would argue for connecting each network identity to a different local uid, this is more or less the only implicitely "safe" identity scope on a *nixish system. With other words, if a person happens to use several network identities, the corresponding processes should have different local uids. Data flow between those identities then has to be explicit and the level of protection/isolation can correspond to the actual task's needs (e.g. using local common file areas with properly chosen modes). [the actual uid allocation method is irrelevant as long as uids are not shared by different identities. I'm using static allocation, it can be done dynamically as well] Given the above I am fine with Kerberos credentials in a local file protected by the ancient "owner" and mode bits. Best regards Rune _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
