Re: In-kernel Authentication Tokens (PAGs)

[David Howells <dhowells@redhat.com>]

> One other thing that I'm not certain about in this patch is if there
> is actually an important difference between "process" and
> "session" key-rings.  I believe that the "session" distinction
> should be left up to user-space software like PAM to determine
> which key-ring "session" a process should belong to.

Well, userspace can decide that a process should begin a new session. I'd
envision this as a user gets a session keyring for each login, and so are able
to use these to hold different sets of credentials that don't interfere with
each other.

A UID keyring would be too pervasive - a key in there would affect _every_
process owned by that user - which might be undesirable.

A process keyring wouldn't be pervasive enough. You couldn't, for example, run
aklog in your shell to get you an AFS token attached to the session, use that
token several times by running programs and then quit the shell to dispose of
the token. Each process wanting the token would have to get itself a new token
by contacting the Kerberos server.

> The user and group key-rings are a good idea, so I guess the order with
> which key-rings are checked for keys is:
> 	Thread
> 	Process
> 	Session???
> 	User
> 	Group

That's about it, yes. Group keyrings don't currently actually exist.

David