On Thu, 2012-02-23 at 20:41 -0500, David Quigley wrote: > On 02/23/2012 14:28, Stephen Gallagher wrote: > > Dear fellow developers, > > > > with the upcoming Fedora 18 release (currently Rawhide) we are going > > to > > change the place where krb5 credential cache files are saved by > > default. > > > > The new default for credential caches will be the > > /run/user/<username> > > directory. > > > > The reason is to make credential saving a bit more predictable while > > at > > the same time avoiding races. Along the road we also gain a little > > bit > > more security by the fact that /run is a tmpfs and therefore cached > > credentials are automatically removed if the machine is shut off. > > > > We have opened bugs to change the default location in libkrb5 > > https://bugzilla.redhat.com/show_bug.cgi?id=796429 in sssd > > https://bugzilla.redhat.com/show_bug.cgi?id=786957 and nfs-utils > > https://bugzilla.redhat.com/show_bug.cgi?id=786993 > > > > Normal users should not experience issues once these components are > > fixed, however because the /run/user/<username> directory is created > > by > > PAM it means this directory is not normally created for daemons that > > may > > run as a system user. > > > > One such case is mod_auth_kerb that recently gained the ability to > > kinit > > with an HTTP/ keytab in order to support the s4u2proxy feature. > > > > For daemons that use a keytab to kinit because they act as clients > > (as > > opposed to just server that accept kerberos connections), it may be > > needed to add a configuration snipppet in their configuration file > > under /etc/tmpfiles.d so that /run/user/<username> is created with > > the > > correct permissions (700) and user ownership. > > > > For example, httpd would add the following line to > > the /etc/tmpfiles.d/httpd.conf: > > > > d /var/run/user/apache 700 apache apache > > > > If you know your daemon requires a credential cache file and does not > > specify one on its own but instead relies on the default location, > > then > > you should open a ticket in bugzilla and add the necessary > > configuration > > to tmpfiles.d > > > > If you have any questions feel free to contact any of the people in > > CC. > > > > -- > > Stephen Gallagher * Red Hat, Inc * Massachusetts > > (apologies if you get this twice. I sent it from the wrong address.) > > Please make sure to have any SELinux related things fixed at the same > time (setting proper labels, extening policy etc). Where are the creds > currently stored? Once we have that one of us can check if the old and > new locations have the same security information or if we have to fix > that. Dan Walsh is one of the owners of the feature. You can blame him if SELinux policies are broken! :-D Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
