-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/24/2012 08:44 AM, David Quigley wrote: > On 02/24/2012 00:22, Simo Sorce wrote: >> On Thu, 2012-02-23 at 20:41 -0500, David Quigley wrote: >>> On 02/23/2012 14:28, Stephen Gallagher wrote: >>>> Dear fellow developers, >>>> >>>> with the upcoming Fedora 18 release (currently Rawhide) we >>>> are going to change the place where krb5 credential cache >>>> files are saved by default. >>>> >>>> The new default for credential caches will be the >>>> /run/user/<username> directory. >>>> >>>> The reason is to make credential saving a bit more >>>> predictable while at the same time avoiding races. Along the >>>> road we also gain a little bit more security by the fact that >>>> /run is a tmpfs and therefore cached credentials are >>>> automatically removed if the machine is shut off. >>>> >>>> We have opened bugs to change the default location in >>>> libkrb5 https://bugzilla.redhat.com/show_bug.cgi?id=796429 in >>>> sssd https://bugzilla.redhat.com/show_bug.cgi?id=786957 and >>>> nfs-utils https://bugzilla.redhat.com/show_bug.cgi?id=786993 >>>> >>>> Normal users should not experience issues once these >>>> components are fixed, however because the >>>> /run/user/<username> directory is created by PAM it means >>>> this directory is not normally created for daemons that may >>>> run as a system user. >>>> >>>> One such case is mod_auth_kerb that recently gained the >>>> ability to kinit with an HTTP/ keytab in order to support the >>>> s4u2proxy feature. >>>> >>>> For daemons that use a keytab to kinit because they act as >>>> clients (as opposed to just server that accept kerberos >>>> connections), it may be needed to add a configuration >>>> snipppet in their configuration file under /etc/tmpfiles.d so >>>> that /run/user/<username> is created with the correct >>>> permissions (700) and user ownership. >>>> >>>> For example, httpd would add the following line to the >>>> /etc/tmpfiles.d/httpd.conf: >>>> >>>> d /var/run/user/apache 700 apache apache >>>> >>>> If you know your daemon requires a credential cache file and >>>> does not specify one on its own but instead relies on the >>>> default location, then you should open a ticket in bugzilla >>>> and add the necessary configuration to tmpfiles.d >>>> >>>> If you have any questions feel free to contact any of the >>>> people in CC. >>>> >>>> -- Stephen Gallagher * Red Hat, Inc * Massachusetts >>> >>> (apologies if you get this twice. I sent it from the wrong >>> address.) >>> >>> Please make sure to have any SELinux related things fixed at >>> the same time (setting proper labels, extening policy etc). >>> Where are the creds currently stored? Once we have that one of >>> us can check if the old and new locations have the same >>> security information or if we have to fix that. >> >> Dan Walsh is one of the owners of the feature. You can blame him >> if SELinux policies are broken! :-D >> >> Simo. >> >> -- Simo Sorce * Red Hat, Inc * New York > > Ok just wanted to make sure that Dan or one of us was involved. > I'll make sure to blame him if things break :) Actually the current label for both locations is user_tmp_t. Although there has been some though to changing the label of /run/user/USERNAME -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9HmjoACgkQrlYvE4MpobNZ7wCgq8vN5p3Ncd8IW6SyG79Snezb qoUAoMQ1uQz68/9OZDoOHbhHlWrCfGi9 =Zd1F -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
