--Apple-Mail-2--242372278 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii
On Apr 14, 2013, at 6:39 AM, Hallvard Breien Furuseth wrote:
=20 You can instead look for a mechanism with built-in credential passing, apparently like Solaris "doors". =20
The sample client-server programs, see link below, show an experiment on = Solaris 8 that server creates and listens to door calls, while client = invokes them. When client invokes a door_call, server gets the euid and = egid, among others, of the client:
https://dl.dropboxusercontent.com/u/94235048/door_call.tgz
http://docs.oracle.com/cd/E18752_01/html/816-5171/door-call-3door.html
# ./server successfully created a door euid (101) egid (1) ruid (101) rgid (1) pid (8947)
$ id uid=3D101(tedcheng) gid=3D1(other) $ ./client pid (8947): door_call succeeded
There is the situation in which we are sending/getting client = credentials from a door call through say /tmp/door, while service = requests, such as nssov/nslcd (nss-pam-ldapd), through a separate Unix = domain socket. There is therefore the need to tie client credentials = with their respective (name) service requests; "doors" implements its = own threading support. The work to integrate doors for client credential = support into a server with threading support, such as slapd, may get = complicated fast.
"Doors" does not seem to be a feasible solution for sending client = credentials in a context such as nssov/slapd.
Or look at what some other well-tested and portable package does and suggest we steal its code.=20 =20
This may be the only option, if there exists one, for older-system = support (Solaris 8).
Ted C. Cheng Symas Corporation
--Apple-Mail-2--242372278 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
<html><head></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; = "><div><div>On Apr 14, 2013, at 6:39 AM, Hallvard Breien Furuseth = wrote:</div><blockquote type=3D"cite"><div><font = class=3D"Apple-style-span" color=3D"#000000"><br></font>You can instead = look for a mechanism with built-in credential passing,<br>apparently = like Solaris "doors". = </div></blockquote><div><br></div><div><div>The = sample client-server programs, see link below, show an experiment = on Solaris 8 that server creates and listens to door calls, while client = invokes them. When client invokes a door_call, server gets the euid and = egid, among others, of the client:</div><div><br></div><div><a = href=3D"https://dl.dropboxusercontent.com/u/94235048/door_call.tgz%22%3Ehttps:= //dl.dropboxusercontent.com/u/94235048/door_call.tgz</a></div><div><br></d= iv><div><a = href=3D"http://docs.oracle.com/cd/E18752_01/html/816-5171/door-call-3door.= html">http://docs.oracle.com/cd/E18752_01/html/816-5171/door-call-3door.ht= ml</a></div><div><br></div><div># ./server<br>successfully created a = door<br>euid (101) egid (1) ruid (101) rgid (1) pid (8947)<br><br>$ = id<br>uid=3D101(tedcheng) gid=3D1(other)<br>$ ./client<br>pid (8947): = door_call succeeded</div><div><br></div><div>There is the situation = in which we are sending/getting client credentials from a door call = through say /tmp/door, while service requests, such as nssov/nslcd = (nss-pam-ldapd), through a separate Unix domain socket. There is = therefore the need to tie client credentials with their respective = (name) service requests; "doors" implements its own threading = support. The work to integrate doors for client credential support into = a server with threading support, such as slapd, may get complicated = fast.</div><div><br></div><div>"Doors" does not seem to be a feasible = solution for sending client credentials in a context such as = nssov/slapd.</div></div><br><blockquote type=3D"cite"><div>Or look at = what some other well-tested<br>and portable package does and suggest we = steal its code. <font class=3D"Apple-style-span" = color=3D"#006312"><br></font></div></blockquote><blockquote = type=3D"cite"><div><br></div></blockquote><br></div><div>This may be the = only option, if there exists one, for older-system support (Solaris = 8).</div><div><br></div><div><br></div><div><div>Ted C. = Cheng</div><div>Symas = Corporation</div></div><div><br></div><div><br></div></body></html>=
--Apple-Mail-2--242372278--