New policy type to check client credentials?
hp at pobox.com
Mon Feb 2 09:13:50 PST 2009
On Mon, Feb 2, 2009 at 4:07 AM, Markku Savela <msa at moth.iki.fi> wrote:
> This is supposed to build a set of policy what client can do and
> not. For me, it is actually a designed feature, that the resulting
> policy is based on the dynamic credentials the client has at the time
> of connection. It does not matter if the groups in process context are
> changed after that.
It could make sense to recheck groups at connect time, I can imagine a
pretty simple patch to do that instead of caching groups forever as I
think we do now.
> - libcreds1 library (separate, because I wish this to be standard
> feature). And this is only reference implementation based on
> /sys/<pid>/proc info, until kernel has proper API for this.
> - actual DBus patch.
> Just post to this list? Or send to someone for preview?
Just posting to the list is fine. I think depending on bleeding-edge
libraries and kernel patches is a problem for us; it would have to be
optional in configure, and we would want to see some indication from
the kernel developers and other people that they will be using the
library and the kernel patches.
More information about the dbus