Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
These commits make the API a bit more symmetric and allow more control (and document it) over when credentials are released, which is useful for privilege dropping purposes.
We should do something even more likely to drop access to privileged data: provide an export/import interface so you can: a) export a knc context, b) exec a child and pass it the exported context via an open, unlinked tmp file or shared memory, c) re-import the context. Actually, this needn't even look like an export/import pair of functions, more like:
int
knc_allow_inherit(knc_ctx); /* returns an fd to import from */
void
knc_ctx knc_inherit(int);
Even the knc_stream info, including fildes numbers, needed for the event loop should be passed via this one fd.
So an app would accept a context, knc_set_cred(ctx, GSS_C_NO_CREDENTIAL), do something with the deleg cred (possibly gss_export_cred(), possibly gss_store_cred()), knc_free_deleg_cred(ctx), then fork(), knc_allow_inherit(), setuid() and so on, then exec(), then knc_inherit().