From owner-freebsd-arch@freebsd.org  Mon Dec  3 09:01:13 2018
Return-Path: <owner-freebsd-arch@freebsd.org>
Delivered-To: freebsd-arch@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C5B95131B4B7
 for <freebsd-arch@mailman.ysv.freebsd.org>;
 Mon,  3 Dec 2018 09:01:13 +0000 (UTC)
 (envelope-from bu7cher@yandex.ru)
Received: from forward101j.mail.yandex.net (forward101j.mail.yandex.net
 [IPv6:2a02:6b8:0:801:2::101])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 77FD4785B0;
 Mon,  3 Dec 2018 09:01:12 +0000 (UTC)
 (envelope-from bu7cher@yandex.ru)
Received: from mxback3o.mail.yandex.net (mxback3o.mail.yandex.net
 [IPv6:2a02:6b8:0:1a2d::1d])
 by forward101j.mail.yandex.net (Yandex) with ESMTP id 000352E81532;
 Mon,  3 Dec 2018 12:01:07 +0300 (MSK)
Received: from smtp1p.mail.yandex.net (smtp1p.mail.yandex.net
 [2a02:6b8:0:1472:2741:0:8b6:6])
 by mxback3o.mail.yandex.net (nwsmtp/Yandex) with ESMTP id ZfQhZUSzxg-17qWmX4o; 
 Mon, 03 Dec 2018 12:01:07 +0300
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
 t=1543827667; bh=Jw3Z0gB7GORMCAZBN1PKfBO8sh9/pFpHiYlCVVN7fdY=;
 h=Subject:To:Cc:References:From:Message-ID:Date:In-Reply-To;
 b=eaiEcI7wdFnyoskfpu6WAKXEPSyXoDS056uGjk93iB9EI2VQEj5yuOhJMzSq1SYTB
 b8+zzB+ggNYGDYYKN9t5Im28vrmyUVsBnjRHkrjqzDfhqpnoFJaZ6pjXhKYrRHSHfi
 lTyU+4ARWePe//uQBHxoWhw3Pawd+R+k1XjIexVI=
Received: by smtp1p.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id
 5bQ8Azzs3k-163qKJpD; Mon, 03 Dec 2018 12:01:06 +0300
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client certificate not present)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
 t=1543827666; bh=Jw3Z0gB7GORMCAZBN1PKfBO8sh9/pFpHiYlCVVN7fdY=;
 h=Subject:To:Cc:References:From:Message-ID:Date:In-Reply-To;
 b=NdaO+xzQSHVhW/voXwb16Jslq5FVekqCz9yz+MhJcu3GkIa/X3uI9a5AGWTBPcTjf
 SXgi3gl8VNBfRfp++dHKA2j3O7QfG1CZrANjBl6zp4UJXcscRoNDMD5cl/lMGrgvtR
 7BfiCywJMal8qTW5W8qHdu7hmO0qZSUSNQx8c2cA=
Authentication-Results: smtp1p.mail.yandex.net; dkim=pass header.i=@yandex.ru
Subject: Re: Removal or updating of "mount_smbfs" from FreeBSD operating system
To: Yuri Pankov <yuripv@yuripv.net>, Edward Napierala <trasz@freebsd.org>,
 gerard@seibercom.net
Cc: freebsd-arch@freebsd.org
References: <20181126121926.00007626@seibercom.net>
 <CAFLM3-o_P3-1sDea-Bgbn0oSjnAqF5RAMTWDgkk6K3819XsMDQ@mail.gmail.com>
 <a9a10036-9c4c-9aa4-9f64-e34ee8d30e89@yuripv.net>
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A
Autocrypt: addr=bu7cher@yandex.ru; prefer-encrypt=mutual; keydata=
 xsBNBEwBF1kBCADB9sXFhBEUy8qQ4X63Y8eBatYMHGEFWN9ypS5lI3RE6qQW2EYbxNk7qUC5
 21YIIS1mMFVBEfvR7J9uc7yaYgFCEb6Sce1RSO4ULN2mRKGHP3/Sl0ijZEjWHV91hY1YTHEF
 ZW/0GYinDf56sYpDDehaBF5wkWIo1+QK5nmj3vl0DIDCMNd7QEiWpyLVwECgLX2eOAXByT8B
 bCqVhJGcG6iFP7/B9Ll6uX5gb8thM9LM+ibwErDBVDGiOgvfxqidab7fdkh893IBCXa82H9N
 CNwnEtcgzh+BSKK5BgvPohFMgRwjti37TSxwLu63QejRGbZWSz3OK3jMOoF63tCgn7FvABEB
 AAHNIkFuZHJleSBWLiBFbHN1a292IDxhZUBmcmVlYnNkLm9yZz7CwHsEEwECACUCGwMGCwkI
 BwMCBhUIAgkKCwQWAgMBAh4BAheABQJMB/ruAhkBAAoJEAHF6gQQyKF6MLwH/3Ri/TZl9uo0
 SepYWXOnxL6EaDVXDA+dLb1eLKC4PRBBjX29ttQ0KaWapiE6y5/AfzOPmRtHLrHYHjd/aiHX
 GMLHcYRXD+5GvdkK8iMALrZ28X0JXyuuZa8rAxWIWmCbYHNSBy2unqWgTI04Erodk90IALgM
 9JeHN9sFqTM6zalrMnTzlcmel4kcjT3lyYw3vOKgoYLtsLhKZSbJoVVVlvRlGBpHFJI5AoYJ
 SyfXoN0rcX6k9X7Isp2K50YjqxV4v78xluh1puhwZyC0p8IShPrmrp9Oy9JkMX90o6UAXdGU
 KfdExJuGJfUZOFBTtNIMNIAKfMTjhpRhxONIr0emxxDOwE0ETAEXWQEIAJ2p6l9LBoqdH/0J
 PEFDY2t2gTvAuzz+8zs3R03dFuHcNbOwjvWCG0aOmVpAzkRa8egn5JB4sZaFUtKPYJEQ1Iu+
 LUBwgvtXf4vWpzC67zs2dDuiW4LamH5p6xkTD61aHR7mCB3bg2TUjrDWn2Jt44cvoYxj3dz4
 S49U1rc9ZPgD5axCNv45j72tggWlZvpefThP7xT1OlNTUqye2gAwQravXpZkl5JG4eOqJVIU
 X316iE3qso0iXRUtO7OseBf0PiVmk+wCahdreHOeOxK5jMhYkPKVn7z1sZiB7W2H2TojbmcK
 HZC22sz7Z/H36Lhg1+/RCnGzdEcjGc8oFHXHCxUAEQEAAcLAXwQYAQIACQUCTAEXWQIbDAAK
 CRABxeoEEMihegkYCAC3ivGYNe2taNm/4Nx5GPdzuaAJGKWksV+w9mo7dQvU+NmI2az5w8vw
 98OmX7G0OV9snxMW+6cyNqBrVFTu33VVNzz9pnqNCHxGvj5dL5ltP160JV2zw2bUwJBYsgYQ
 WfyJJIM7l3gv5ZS3DGqaGIm9gOK1ANxfrR5PgPzvI9VxDhlr2juEVMZYAqPLEJe+SSxbwLoz
 BcFCNdDAyXcaAzXsx/E02YWm1hIWNRxanAe7Vlg7OL+gvLpdtrYCMg28PNqKNyrQ87LQ49O9
 50IIZDOtNFeR0FGucjcLPdS9PiEqCoH7/waJxWp6ydJ+g4OYRBYNM0EmMgy1N85JJrV1mi5i
Message-ID: <84aaaa9a-ef78-f7c2-fd42-1ea8b848f865@yandex.ru>
Date: Mon, 3 Dec 2018 11:58:31 +0300
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101
 Thunderbird/60.3.1
MIME-Version: 1.0
In-Reply-To: <a9a10036-9c4c-9aa4-9f64-e34ee8d30e89@yuripv.net>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="5oPQ3Ume9rwUlUwJwbw6QINbUBppWL4zu"
X-Rspamd-Queue-Id: 77FD4785B0
X-Spamd-Result: default: False [-7.91 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[yandex.ru];
 R_SPF_ALLOW(-0.20)[+ip6:2a02:6b8:0::/52];
 HAS_ATTACHMENT(0.00)[]; RCVD_COUNT_THREE(0.00)[4];
 DKIM_TRACE(0.00)[yandex.ru:+];
 MX_GOOD(-0.01)[mx.yandex.ru,mx.yandex.ru,mx.yandex.ru,mx.yandex.ru,mx.yandex.ru];
 DMARC_POLICY_ALLOW(-0.50)[yandex.ru,none];
 NEURAL_HAM_SHORT(-0.96)[-0.961,0]; SIGNED_PGP(-2.00)[];
 FROM_EQ_ENVFROM(0.00)[];
 IP_SCORE(-1.74)[ipnet: 2a02:6b8::/32(-4.84), asn: 13238(-3.85), country:
 RU(0.01)]; RCVD_TLS_LAST(0.00)[];
 RCVD_IN_DNSWL_LOW(-0.10)[1.0.1.0.0.0.0.0.0.0.0.0.2.0.0.0.1.0.8.0.0.0.0.0.8.b.6.0.2.0.a.2.list.dnswl.org
 : 127.0.5.1]; 
 ASN(0.00)[asn:13238, ipnet:2a02:6b8::/32, country:RU];
 MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[yandex.ru]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[4]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain];
 FREEMAIL_ENVFROM(0.00)[yandex.ru];
 TO_MATCH_ENVRCPT_SOME(0.00)[]
X-Rspamd-Server: mx1.freebsd.org
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch/>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Dec 2018 09:01:14 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--5oPQ3Ume9rwUlUwJwbw6QINbUBppWL4zu
Content-Type: multipart/mixed; boundary="aYRzU0lpRUgVIMhNU3EUCKdeTDPkq0gwT";
 protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: Yuri Pankov <yuripv@yuripv.net>, Edward Napierala <trasz@freebsd.org>,
 gerard@seibercom.net
Cc: freebsd-arch@freebsd.org
Message-ID: <84aaaa9a-ef78-f7c2-fd42-1ea8b848f865@yandex.ru>
Subject: Re: Removal or updating of "mount_smbfs" from FreeBSD operating
 system
References: <20181126121926.00007626@seibercom.net>
 <CAFLM3-o_P3-1sDea-Bgbn0oSjnAqF5RAMTWDgkk6K3819XsMDQ@mail.gmail.com>
 <a9a10036-9c4c-9aa4-9f64-e34ee8d30e89@yuripv.net>
In-Reply-To: <a9a10036-9c4c-9aa4-9f64-e34ee8d30e89@yuripv.net>

--aYRzU0lpRUgVIMhNU3EUCKdeTDPkq0gwT
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 27.11.2018 19:55, Yuri Pankov wrote:
>> There seems to be existing, working code in Nexenta, which is being
>> upstreamed to Illumos:
>>
>> https://www.illumos.org/issues/9735
>> https://github.com/illumos/illumos-gate/pull/37
>>
>> Their implementation descends from the one we have in base (and the on=
e
>> from OSX, which also descends from FreeBSD), so it should be possible =
to
>> merge it.
>=20
> Yes, we have it working and tested pretty well.  And that's exactly the=

> reason I was asking if there's work in progress for smb2/3 client or no=
t
> before even starting looking into porting the code.
>=20
> The problem here is that the code has grown library dependencies which
> are CDDL-licensed, which aren't easy to break (if at all), so if ported=
,
> it will be covered by WITHOUT_CDDL; hopefully that's acceptable.  It's
> possible that Nexenta-authored code could be relicensed under BSDL (I'l=
l
> have to ask, we already have a precedent with localedef), but sadly tha=
t
> doesn't cover everything.

Apple's implementation is looks like based on the same source as our
one. It looks like dual licensed APSL/BSDL but the size of the SMB/CIFS
code has significantly increased and porting doesn't look like an easy
task. But probably some code can be used...

https://opensource.apple.com/tarballs/smb/

--=20
WBR, Andrey V. Elsukov


--aYRzU0lpRUgVIMhNU3EUCKdeTDPkq0gwT--

--5oPQ3Ume9rwUlUwJwbw6QINbUBppWL4zu
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlwE8DcACgkQAcXqBBDI
oXo7HQf/Y/LzcoWfwZpqb3FcalnH4mguhKImrl9LALrzXz6P3/afDaRyl0V7LcTR
MpmqkydCLoTcPw57DbtQUJFGuJ1U55Ada/yn8hPg8nKIi4A4ylnZUw7M/+ho4vcO
yR7KAHkX2UIwE0swEe+kmjK05opKI074RUkoFr33dtVnUiCfiPq/NhJqIQ4fBpmv
bShcWib56qkFo0vZ9WSjNObDEz78N0du+wNmH+E165ZmtjCBBChckZ3lb05aYaLs
inIP49gPcbKxAjM48DUAEEY/FFQLdp7TyblKJYkd6uOdZX9z2YUU53iSEL+1N8iP
RqfDK68yP+ffPeivkfWSzxstX1gEyQ==
=ULgj
-----END PGP SIGNATURE-----

--5oPQ3Ume9rwUlUwJwbw6QINbUBppWL4zu--

From owner-freebsd-arch@freebsd.org  Fri Dec  7 10:33:01 2018
Return-Path: <owner-freebsd-arch@freebsd.org>
Delivered-To: freebsd-arch@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4EC3A1333EBC
 for <freebsd-arch@mailman.ysv.freebsd.org>;
 Fri,  7 Dec 2018 10:33:01 +0000 (UTC) (envelope-from jack@gandi.net)
Received: from gandi.net (mail12.gandi.net
 [IPv6:2001:4b98:dc4:5:ae1f:6bff:fe2d:9fdc])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 6599784479;
 Fri,  7 Dec 2018 10:33:00 +0000 (UTC) (envelope-from jack@gandi.net)
Received: from thinkpad-gandi (tgordon.gandi.net [217.70.181.24])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by gandi.net (Postfix) with ESMTPS id 042D01604AD;
 Fri,  7 Dec 2018 10:32:52 +0000 (UTC)
Date: Fri, 7 Dec 2018 11:32:51 +0100
From: Jack Halford <jack@gandi.net>
To: freebsd-arch@freebsd.org
Cc: zml@freebsd.org, mdf@freebsd.org, fatih@gandi.net
Subject: per thread credentials
Message-ID: <20181207103251.s5xao5ji4rx5omcz@thinkpad-gandi>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
User-Agent: NeoMutt/20180716
X-Rspamd-Queue-Id: 6599784479
X-Spamd-Result: default: False [-3.23 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-0.996,0]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[4];
 R_SPF_ALLOW(-0.20)[+ip6:2001:4b98:dc4:5::/64];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain];
 TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[gandi.net];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 MX_GOOD(-0.01)[mail8.gandi.net,mail12.gandi.net];
 NEURAL_HAM_SHORT(-0.91)[-0.911,0];
 IP_SCORE(-0.51)[asn: 203476(-2.55), country: FR(-0.02)];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MID_RHS_NOT_FQDN(0.50)[];
 ASN(0.00)[asn:203476, ipnet:2001:4b98:dc4::/48, country:FR];
 RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]
X-Rspamd-Server: mx1.freebsd.org
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch/>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Dec 2018 10:33:01 -0000

hello,

Gandi.net has need of per-thread credentials for a file server. There
have been prior discussions in a thread[1] in 2009 and also a design[2]
has been written out on the wiki in 2011. I'm in the process of
implementing this design.

Before posting my patch to reviews I'd like know if I've missed any
discussion on the subject since the design I'm basing myself on is quite
old (some of the points are now irrelevant after 7 years). Also maybe
someone knows why this was never implemented in the first place?

[1] https://lists.freebsd.org/pipermail/freebsd-arch/2009-May/009300.html
[2] https://wiki.freebsd.org/Per-Thread%20Credentials

From owner-freebsd-arch@freebsd.org  Fri Dec  7 16:53:26 2018
Return-Path: <owner-freebsd-arch@freebsd.org>
Delivered-To: freebsd-arch@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 820901313665
 for <freebsd-arch@mailman.ysv.freebsd.org>;
 Fri,  7 Dec 2018 16:53:26 +0000 (UTC)
 (envelope-from cse.cem@gmail.com)
Received: from mail-it1-f173.google.com (mail-it1-f173.google.com
 [209.85.166.173])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id CF11B6DBDE
 for <freebsd-arch@freebsd.org>; Fri,  7 Dec 2018 16:53:25 +0000 (UTC)
 (envelope-from cse.cem@gmail.com)
Received: by mail-it1-f173.google.com with SMTP id c9so8047310itj.1
 for <freebsd-arch@freebsd.org>; Fri, 07 Dec 2018 08:53:25 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:reply-to
 :from:date:message-id:subject:to:cc:content-transfer-encoding;
 bh=vN1T6uznEjf7wu5eTnT5edoXR1bV/BfbZ2p2ozBl0X4=;
 b=ujV2Bp06xk9CQChKuKlmC55YRS12HpZsDbOsJIQsRvJSajwvdA1crmit2mfcve+L79
 aYZ5R/la1v8kuzkdE+k8zcsL+dKG+hJVyP51mKaNaYcsIisM4wVXN8B21nEePRg0oNN9
 GTZOzc+ApoAtBUZTn0wI5uemWa7aWns3/FGR1e4nj7VGVpvqA80Ctd+mRDLmQsLrBOfv
 vQGVvsh9lX1HSxLKQEmT0jHdb8ic/BCosq13dOrdw+/TwExD1kFhF3II37J29lyFecco
 yPqQnXpdmt4hsA4zDrDeBg0aV9vi+hN2TDJ2MavIe65KslpSxWQJ55BXV0ng2ngbABr+
 b2mA==
X-Gm-Message-State: AA+aEWbGDb3KIUkm0/xPIc/wWUStlZgZpDggycmkUxQY7Po+u/FGdJjd
 APgaf7YJ447Dopp4ZTF/n8oBPLCq
X-Google-Smtp-Source: AFSGD/UB1AJMjXd5RVtfRf9H/91FJMZxLwt1PKi00H1oukPBNr5JWLGG2jzZXKjMJ/MGoynaJut1hA==
X-Received: by 2002:a24:5411:: with SMTP id t17mr2595123ita.32.1544201598759; 
 Fri, 07 Dec 2018 08:53:18 -0800 (PST)
Received: from mail-io1-f45.google.com (mail-io1-f45.google.com.
 [209.85.166.45])
 by smtp.gmail.com with ESMTPSA id w13sm2027485itb.10.2018.12.07.08.53.18
 for <freebsd-arch@freebsd.org>
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Fri, 07 Dec 2018 08:53:18 -0800 (PST)
Received: by mail-io1-f45.google.com with SMTP id f14so3784894iol.4
 for <freebsd-arch@freebsd.org>; Fri, 07 Dec 2018 08:53:18 -0800 (PST)
X-Received: by 2002:a6b:ee16:: with SMTP id i22mr2159630ioh.124.1544201597867; 
 Fri, 07 Dec 2018 08:53:17 -0800 (PST)
MIME-Version: 1.0
References: <20181207103251.s5xao5ji4rx5omcz@thinkpad-gandi>
In-Reply-To: <20181207103251.s5xao5ji4rx5omcz@thinkpad-gandi>
Reply-To: cem@freebsd.org
From: Conrad Meyer <cem@freebsd.org>
Date: Fri, 7 Dec 2018 08:53:07 -0800
X-Gmail-Original-Message-ID: <CAG6CVpU1ZyVHx=jR9WXBkw1G75j6zzxMKhpf5QMyrs5-oGyEfQ@mail.gmail.com>
Message-ID: <CAG6CVpU1ZyVHx=jR9WXBkw1G75j6zzxMKhpf5QMyrs5-oGyEfQ@mail.gmail.com>
Subject: Re: per thread credentials
To: jack@gandi.net
Cc: "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org>, fatih@gandi.net
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: CF11B6DBDE
X-Spamd-Result: default: False [-5.72 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; HAS_REPLYTO(0.00)[cem@freebsd.org];
 R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17];
 REPLYTO_ADDR_EQ_FROM(0.00)[]; RCVD_COUNT_THREE(0.00)[4];
 MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com];
 NEURAL_HAM_SHORT(-0.98)[-0.977,0];
 FORGED_SENDER(0.30)[cem@freebsd.org,csecem@gmail.com];
 IP_SCORE(-2.73)[ip: (-8.82), ipnet: 209.85.128.0/17(-3.45), asn: 15169(-1.30),
 country: US(-0.09)]; R_DKIM_NA(0.00)[];
 FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US];
 TAGGED_FROM(0.00)[]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 FROM_NEQ_ENVFROM(0.00)[cem@freebsd.org,csecem@gmail.com];
 FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-arch@freebsd.org];
 DMARC_NA(0.00)[freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 RCVD_IN_DNSWL_NONE(0.00)[173.166.85.209.list.dnswl.org : 127.0.5.0];
 RCVD_TLS_LAST(0.00)[]
X-Rspamd-Server: mx1.freebsd.org
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch/>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Dec 2018 16:53:26 -0000

On Fri, Dec 7, 2018 at 2:37 AM Jack Halford <jack@gandi.net> wrote:
>
> hello,
>
> Gandi.net has need of per-thread credentials for a file server. There
> have been prior discussions in a thread[1] in 2009 and also a design[2]
> has been written out on the wiki in 2011. I'm in the process of
> implementing this design.
>...
>
> [1] https://lists.freebsd.org/pipermail/freebsd-arch/2009-May/009300.html
> [2] https://wiki.freebsd.org/Per-Thread%20Credentials

Both of these came out of Isilon.  I think we ended up with special
credential file descriptors, rather than using uid_t's and gid_t's
directly, because of a need for compatibility with arbitrary Windows
LDAP users ("SID"s?) not present in the local id database.

I can't speak to why it didn't land before =E2=80=94 I wasn't really around
for that, and there's a 50-50 chance we just didn't want to put in the
effort =E2=80=94 but we still use something similar now.  Zach Loafman left
the company long ago and hasn't been an active FreeBSD committer in
quite some time, and ditto mdf@.  Committers at Isilon now are me,
bdrewery@, vangyzen@, dab@, rstone@, and pho@, but none of us are
really involved with what Isilon calls "AIMA" (Authentication,
Identity Management, Authorization).

The APIs we use today look like:

663     AUE_NULL        STD     { int modifytcred2(int fd, \
                                    struct native_token *token, \
                                    int flags); }
664     AUE_NULL        STD     { int modifytcred(int fd1, int fd2, \
                                    int flags); }
665     AUE_NULL        STD     { int accesstcred(char *path, int flags, \
                                    int fd); }
666     AUE_NULL        STD     { int buildtcred(struct native_token *token=
, \
                                    int current); }
667     AUE_NULL        STD     { int gettcred(char *user, int thread); }
668     AUE_NULL        STD     { int settcred(int fd, int flags, \
                                    struct native_token *token); }
669     AUE_NULL        STD     { int reverttcred(void); }
670     AUE_NULL        STD     { int restricttcred(int fd, struct
native_token *token); }

Best,
Conrad