> > > Also, using a separate PAG structure means that you can
> lend your keys to
> > > an SUID program and conversely it means a SUID program
> can't so easily
> > > gain access to keys it didn't inherit from its caller.
> >
> > "task->user" always follows uid ("real uid"), and as such
> you can always
> > switch back and forth by just changing uid.
>
> So anyone who has the ability to get root on a box can
> immediately use other
> peoples keys with su... OTOH, the ability to get root would
> normally permit
> someone sufficiently motivated to get this anyway.
This isn't any good since it implies that a given uid can only have a
single set of tokens. Users can freely authenticate to afs and get
tokens for other afs ids at any time. As long as they are in different
pags, they can freely coexist. Now, if you're talking about pag-less
only, then the above is reasonable and expected.
-- Nathan