From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pavel Machek Subject: Re: [PATCH] in-core AFS multiplexor and PAG support Date: Sat, 17 May 2003 14:30:44 +0200 Sender: linux-kernel-owner@vger.kernel.org Message-ID: <20030517123044.GG686@zaurus.ucw.cz> References: <8812.1052841957@warthog.warthog> <20030513172029.GB25295@delft.aura.cs.cmu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: To: Linus Torvalds , David Howells , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, openafs-devel@openafs.org Content-Disposition: inline In-Reply-To: <20030513172029.GB25295@delft.aura.cs.cmu.edu> List-Id: linux-fsdevel.vger.kernel.org Hi! > > The advantage of associating the PAG with the real uid rather than make it > > per-process is that it's a lot easier to administer that way, I think. You > > don't need to log out or anything like that to have changes take effect > > for your session, and it is very natural to say "this user now gets key > > X". Which is what I think you really want when you do something like enter > > a key to an encrypted filesystem, for example. > > The local user id is not a 'trusted' identity for a distributed filesystem. > Any user still have to prove his identity by obtaining tokens. > > If someone obtains my user id on in any way (i.e. weak password/ > bufferoverflow/ root exploit), he should not be allowed to use or access > my tokens as he hasn't proven his identity. In this case he would either ? If he has same uid as you *and* you have >=1 process running, what prevents him from gdb attach , and force it to do whatever he needs by forcing syscall? Pavel -- Pavel Written on sharp zaurus, because my Velo1 broke. If you have Velo you don't need...