If the PAG was implemented well, then even the Kerberos credentials
could be contained within the PAG, or accessible only by other processes
in the same PAG.
One way to think of the PAG is a way of getting around the limited
capabilities of UNIX to have only a UID which is only locally unique.
The PAG identifies the user globally, and stores credentials to use
to prove it to other systems of file systems.
Linus said in two previous note:
> I think we should make the current "tsk->user" thing _be_ the "PAG".
and:
> A "user" is by definition what the unix filesystem considers to be the
> "atom of security".
This may well be true, but current UNIX file systems continue to use the
simple UID and GID for access. Maybe there something that can be done
here as well.
>
> -- Nathan
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
--Douglas E. Engert <DEEngert@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/