site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=XTmG5Il2c07WFBpqqm2l4qjaDaV3xW+gzXLoGAcQbL8=; b=jP8e0xBr1WJQIHhntp+k0WVUy0wwjOGwrhm7H16/xNwVMq3mLgGH4amJiiYWAPQmgg d1F/FJs0wuRUclR+q1D7NP0ISyTnZ2hb1vGJpSLgdZAve4xl5CRwsZ+NnzWhwXeV6Y7s UX7Cp+0D0/zP6Ixpjb8eJtLh2rqII4IY++KFQ= Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=UFL+y9ldzXDWYfNFchjBQdQqmUfw1+Lb24MM5fNn2IsRLZFJLIQ56hwyYeEA5rkhjf 0/38QT9Hx2e/7j/BHHwd03qR9BOFAuEoIoyLeXhkYHhA/CADOWiQ7lIsV0SOHiPzwsnW ItAwpQ7OImHXDKcyms/GyBX/jVzaAif4Ob3Sw= On Fri, Feb 19, 2010 at 3:17 PM, Terry Lambert <tlambert@apple.com> wrote:

On Feb 19, 2010, at 11:59 AM, Derrick Brashear wrote:

...

That's also not really "better". Alas, what I really want to do is track processes in some way such that marking a process causes that mark to be inherited by children, and allow the kernel to read the mark, and a process can cause itself to get a new mark which will be inherited to *its* future children, and it seems that's simply not possible:

-The MAC subsystem isn't supported (http://developer.apple.com/mac/library/qa/qa2007/qa1574.html) -login contexts and audit sessions are one-per-process and owned by system software -I'm insufficiently special to use a mach special port (there are 7) -The kauth external cred resolver interface allows but a single resolver and I'm not memberd.

What actor needs access to the information?

A kernel extension will decide which credentials to use based on the information. (OpenAFS, in this case)

(1) This is what the keychain mechanism gives you

The goal is to within, say, a login session, give away the session I have and enroll in a new one. This should ideally affect only me, so, how I do this without causing the user to lose access to their keychain? (I assume this would be with setlcid and using that would seem to have this side effect)

(2) Consider adding a directory services plugin, which give you access as part of the authority of memberd

That may be plausible.

(3) Consider simply putting the initail process in an additional supplementary group

That's fixed, though. Every login session would be an initial process (so if I ssh in more than once, each sshd should be treated as disjoint; If I am also a console user, that's also disjoint) -- Derrick _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... This email sent to site_archiver@lists.apple.com