site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com On Nov 27, 2008, at 9:06 AM, Rick Macklem wrote: = Mike _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a...

From looking at kern_credential.c, all I can think of is doing

kauth_cred_guid2gid() first and assuming it is a group, if it succeeds. (Which won't work if a given guid_t represents both a gid and uid.) Any suggestions on how to handle this? GUIDs are globally unique IDs; it is a directory service administration error to have a GUID that maps to more than one entity. Group first is a sensible policy; it's reasonable to expect that ACL entries will tend to indirect through role groups than directly reference users. This email sent to site_archiver@lists.apple.com