From owner-freebsd-questions Mon Apr 29 14:41:00 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id OAA17209 for questions-outgoing; Mon, 29 Apr 1996 14:41:00 -0700 (PDT) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id OAA17204 for ; Mon, 29 Apr 1996 14:40:56 -0700 (PDT) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id OAA05136; Mon, 29 Apr 1996 14:30:24 -0700 From: Terry Lambert Message-Id: <199604292130.OAA05136@phaeton.artisoft.com> Subject: Re: Password in a directory To: helio@compuland.com.br (Helio Coelho Junior) Date: Mon, 29 Apr 1996 14:30:24 -0700 (MST) Cc: questions@FreeBSD.ORG In-Reply-To: <199604280016.VAA01732@sv.compuland.com.br> from "Helio Coelho Junior" at Apr 27, 96 09:16:33 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Is it possible to put a password in a directory, so the > user need to type to have access granted ? No. Because: 1) Credentials are associated with processes; they are not seperate authentication instances (this is an error in the design of UNIX). 2) You can't associate another credential to indicate an "authenticated user" of a directory. There is one credential for a process. 3) You can't associate an authentication instance with a presence of a process "in" a hierarchy because of the concept of "current directory" (this is another error in the design of UNIX). 4) There is no way for the kernel to call back to the user to request an authentication at access time. You *could* set up a kludge based on an error followed by an ioctl() that swould have to be built into a library interface used by all code. It would be a pain to do, since every application would require changes. This is because UNIX does not support a "broadcast port" mechanism. Supporting such a mechanism would require (1) terminal dependence of all applications (that's how VMS does it), or an automaton per terminal type (not practical), or a callback/requester (assumes credentials are associated with a session manager and the user is running in a graphica environemnt (that's how UnixWare handles NetWare client authorization and why SMBFS is a bad idea on FreeBSD and Linux). If you have a specialized application, you could hack it, on the assumption that only someone running the application and using it to authenticate, or root, would ever access the directory. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.