On 1/17/2017 11:34 AM, Trond Myklebust wrote: >> >> https://docs.google.com/document/d/1P27fP1uj-C8QdxDKMKtI-Qh00c5_9zJa4 >> YHjnpB6ODM/pub >> >> Jeffrey Altman >> > > > There is the usual problem when you have to do an upcall in order to > set up the authentication context for session based protocols, such as > RPCSEC_GSS. > Trond, Thanks for the thought but that is not the issue here. systemd --user launches processes as the user but those processes do not share the same keyring as the processes started from the pam stack at logon. Since the keyring doesn't match, the processes started by systemd --user are in a different authentication context. Setting the effective 'uid' is insufficient to gain access to the proper authentication context. I agree that upcalls are often a problem which is why the AFS family of protocols does not use them. Typically a process will be created in userland for each PAG to push refreshed credentials to the kernel module. Jeffrey Altman
begin:vcard fn:Jeffrey Altman n:Altman;Jeffrey org:AuriStor, Inc. adr:Suite 6B;;255 West 94Th Street;New York;New York;10025-6985;United States email;internet:jaltman@xxxxxxxxxxxx title:Founder and CEO tel;work:+1-212-769-9018 note;quoted-printable:LinkedIn: https://www.linkedin.com/in/jeffreyaltman=0D=0A= Skype: jeffrey.e.altman=0D=0A= url:https://www.auristor.com/ version:2.1 end:vcard
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
