Coda File System

ACLs, PAGs and PACs

From: Jim Doyle <jrd_at_bu.edu>
Date: Wed, 10 Dec 1997 14:28:44 -0500 (EST)
It was mentioned that RPC2 is already instrumented to use multiple
authentication protocols - Kerberos V4 being one that is apparently
already implemented.

I was wondering if PAGs (ala AFS, DFS) are implemented in the Linux 
and *BSD ports. If so, how are they implemented?  PAGs allow
user-authentication information (i.e. Kerberos authenticators) to
follow a Unix process group (a tree of Unix processes originating from
a process leader). This allow your to login to the box, authenticate to
AFS/DFS/etc. etc, and have your filesystem network credentials follow
you as you go about forking new processes (i.e. xterms).

PAGs are something I will have to face next year (1998) when I 
start the port of DFS to Linux as well. It would be nice if there
existed a generic way of attaching, updating, deleting opaque authentication
information with each Linux or BSD process in-kernel so that all of our
network filesystems can co-exist with each other. As far as I know,
Linux doesnt support such a facility. Linux AFS does not have PAGs, like
Solaris/AIX/etc AFS do. Instead, Linux AFS maps Unix UIDs to the AFS token.
It would be very cool to bang heads together with Linus et. al. and work
out a design that makes sense for the most generic case.

It is not unlikely to have AFS, DFS, Coda, Kerberized NFS and Windows SMBFS 
all running on the same box, each with different authentication credentials 
stored in kernel for each user, for each filesystem technology. So, eventually,
this will need to be solved.


-- Jim

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Jim Doyle                         Boston University   Information Technology
Systems Analyst/Programmer        email: jrd_at_bu.edu   Distributed Systems
						      tel. (617)-353-8248
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++--+-+-+-+-+-+-
Received on 1997-12-10 14:53:37