On 02/24/2012 00:22, Simo Sorce wrote:
On Thu, 2012-02-23 at 20:41 -0500, David Quigley wrote:
On 02/23/2012 14:28, Stephen Gallagher wrote:
> Dear fellow developers,
>
> with the upcoming Fedora 18 release (currently Rawhide) we are
going
> to
> change the place where krb5 credential cache files are saved by
> default.
>
> The new default for credential caches will be the
> /run/user/<username>
> directory.
>
> The reason is to make credential saving a bit more predictable
while
> at
> the same time avoiding races. Along the road we also gain a little
> bit
> more security by the fact that /run is a tmpfs and therefore
cached
> credentials are automatically removed if the machine is shut off.
>
> We have opened bugs to change the default location in libkrb5
> https://bugzilla.redhat.com/show_bug.cgi?id=796429 in sssd
> https://bugzilla.redhat.com/show_bug.cgi?id=786957 and nfs-utils
> https://bugzilla.redhat.com/show_bug.cgi?id=786993
>
> Normal users should not experience issues once these components
are
> fixed, however because the /run/user/<username> directory is
created
> by
> PAM it means this directory is not normally created for daemons
that
> may
> run as a system user.
>
> One such case is mod_auth_kerb that recently gained the ability to
> kinit
> with an HTTP/ keytab in order to support the s4u2proxy feature.
>
> For daemons that use a keytab to kinit because they act as clients
> (as
> opposed to just server that accept kerberos connections), it may
be
> needed to add a configuration snipppet in their configuration file
> under /etc/tmpfiles.d so that /run/user/<username> is created with
> the
> correct permissions (700) and user ownership.
>
> For example, httpd would add the following line to
> the /etc/tmpfiles.d/httpd.conf:
>
> d /var/run/user/apache 700 apache apache
>
> If you know your daemon requires a credential cache file and does
not
> specify one on its own but instead relies on the default location,
> then
> you should open a ticket in bugzilla and add the necessary
> configuration
> to tmpfiles.d
>
> If you have any questions feel free to contact any of the people
in
> CC.
>
> --
> Stephen Gallagher * Red Hat, Inc * Massachusetts
(apologies if you get this twice. I sent it from the wrong address.)
Please make sure to have any SELinux related things fixed at the
same
time (setting proper labels, extening policy etc). Where are the
creds
currently stored? Once we have that one of us can check if the old
and
new locations have the same security information or if we have to
fix
that.
Dan Walsh is one of the owners of the feature.
You can blame him if SELinux policies are broken! :-D
Simo.
--
Simo Sorce * Red Hat, Inc * New York
Ok just wanted to make sure that Dan or one of us was involved. I'll
make sure to blame him if things break :)
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
