[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: getpeercred() on the Hurd

At Wed, 18 Jun 2008 12:41:48 +0200,
Neal H. Walfield wrote:
> 
> At Wed, 18 Jun 2008 12:20:10 +0200 (CEST),
> Arthur de Jong wrote:
> > > One question you should consider is: why do you need this information?
> > [...]
> > 
> > I agree with your point in general and think there are better ways to 
> > do access control.
> > 
> > nss-ldapd is an NSS module that does lookups in an LDAP database. The NSS 
> > module does not do the lookup itself (this causes a lot of headaches) but 
> > offloads it to a deamon (nslcd). Most NSS calls should be no problem but 
> > shadow calls pose an exception to that. The server (nslcd) will only 
> > return shadow information if it can determine that the caller runs as 
> > root.
> > 
> > So I would like to keep one socket for all requests and not mess with 
> > permissions of sockets.
> 
> Sounds broken.  Good luck.

That wasn't very helpful.  If you are dead set on using IBAC, you
could use the auth protocol to establish the identify of the client.
The interface is described in auth/auth.defs .

Neal
Reply to: