Re: Headsup! krb5 ccache defaults are changing in Rawhide

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 02/23/2012 14:28, Stephen Gallagher wrote:

Dear fellow developers,
with the upcoming Fedora 18 release (currently Rawhide) we are going to change the place where krb5 credential cache files are saved by default.
The new default for credential caches will be the /run/user/<username> 
directory.
The reason is to make credential saving a bit more predictable while at the same time avoiding races. Along the road we also gain a little bit 
more security by the fact that /run is a tmpfs and therefore cached
credentials are automatically removed if the machine is shut off.

We have opened bugs to change the default location in libkrb5
https://bugzilla.redhat.com/show_bug.cgi?id=796429 in sssd
https://bugzilla.redhat.com/show_bug.cgi?id=786957 and nfs-utils
https://bugzilla.redhat.com/show_bug.cgi?id=786993

Normal users should not experience issues once these components are
fixed, however because the /run/user/<username> directory is created by PAM it means this directory is not normally created for daemons that may 
run as a system user.
One such case is mod_auth_kerb that recently gained the ability to kinit 
with an HTTP/ keytab in order to support the s4u2proxy feature.
For daemons that use a keytab to kinit because they act as clients (as 
opposed to just server that accept kerberos connections), it may be
needed to add a configuration snipppet in their configuration file
under /etc/tmpfiles.d so that /run/user/<username> is created with the 
correct permissions (700) and user ownership.

For example, httpd would add the following line to
the /etc/tmpfiles.d/httpd.conf:

d /var/run/user/apache   700 apache apache

If you know your daemon requires a credential cache file and does not
specify one on its own but instead relies on the default location, then you should open a ticket in bugzilla and add the necessary configuration 
to tmpfiles.d
If you have any questions feel free to contact any of the people in CC. 

--
Stephen Gallagher * Red Hat, Inc * Massachusetts


(apologies if you get this twice. I sent it from the wrong address.)
Please make sure to have any SELinux related things fixed at the same time (setting proper labels, extening policy etc). Where are the creds currently stored? Once we have that one of us can check if the old and new locations have the same security information or if we have to fix that. 

Dave
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux