On Mon, 2012-06-25 at 09:00 -0400, Stephen Gallagher wrote: > On Fri, 2012-06-22 at 09:36 +0100, David Howells wrote: > > Stephen Gallagher <sgallagh@xxxxxxxxxx> wrote: > > > > > 1) Credential caches are now stored in a tmpfs location. This is a > > > security feature, as a stolen laptop may not be booted in single-user > > > mode to extract a valid TGT. > > > > Is it? Can't tmpfs move stuff arbitrarily out to swap? > > Ah, true. This could happen in a low-memory case. I should perhaps > revise this statement then to be "This is a security feature, as a > stolen laptop booted in single user mode will have a much more difficult > time of extracting a valid TGT". > > This of course can be further mitigated by the use of encrypted swap > space. If you are concerned about security of laptops and do not encrypt swap you do not care about leaking TGTs, IMHO. Of course another solution is to simply have no swap, but that would prevent hybernation I think, which may be a desirable feature. Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
