[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: idvec-verify...

From: Roland McGrath
Subject: Re: idvec-verify...
Date: Fri, 22 Oct 2004 22:47:33 -0400 (EDT)

The spec for those get*_r calls says it fills in with NULL on errors or not
found (which is a non-error return value), so it is not necessary to check
the return value unless you want to distinguish "some error reading the
passwd info" from "lookup found nothing".  But here perhaps we do, to
return different error codes to the caller for those two cases.

I haven't really considered your changes deeply beyond that.  addauth with
numeric IDs that are not in passwd/group/shadow should still work for root.
Does it?  When it fails for a nonroot user it should diagnose a more useful
error than EINVAL, at least EPERM.  In fact, really addauth should just
handle numeric IDs and try it, and when the auth server refuses for nonroot
the EPERM return from auth_makeauth should propagate all the way back.
(For example, imagine an auth server decides to implement a policy where a
UID has control over a private range of other UIDs.  The client side should
not be constraining the auth server's process of deciding who can do what.)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]