>On Sun, Jul 05, 2009 at 05:02:04PM +0200, Casper.Dik at Sun.COM wrote:
>> >Not so much exec_attr as getusernam(3C).
>> 
>> And why would that fail?
>
>As root it might fail.  The reason is that the directory might not want
>to let host entities see user data, while allowing users to see it.
>Enabling that was the point of self-credentialled name service lookups.
>
>In an environment that demands that pfexecd should fork helper processes
>to do the name service lookups as the users that are exec()ing things.

The current implementation uses the client's effective uid and group id.
pfexec() always calls getusernam() with an effective uid of root.

Both the current implementation and the proposed implementation will
call nscd with the same effective uid and no change in behaviour will
be seen.

Casper


Reply via email to