On Fri, 26.07.13 14:32, Stephen Gallagher (sgallagh@xxxxxxxxxx) wrote: > As Simo noted in the other thread, the availability of credentials > outside the normal user session is an expectation of existing tools. > The exposure here is significantly mitigated by the fact that Kerberos > credentials are time-limited by the KDC. So, let me get this right: you want a host-specific tmpfs location which is never automatically cleaned up, but is a private namespace of the user (though the system sometimes writes to it), correct? That really sounds like a step backwards. Defining new runtime dirs without immediately thinking about life-cycles is something we really shouldn't do anymore. XDG_RUNTIME_DIRS was introduced just because we want a clear life-cycle. Lennart PS: as a side note. what do you actually create in XDG_RUNTIME_DIR? A subdirectory? You are aware of the inherent risks of sharing a directory between system code and user code? It's extremely hard to properly get a subdir created in such a dir without opening a security hole. PPS: if you give up on the unrestricted life-cycle and hence do still want to use XDG_RUNTIME_DIR, and you don't want to pre-create the dir on your own: you could just stick the cred cache into some PAM context var instead of writing it to XDG_RUNTIME_DIR right away, and then write it to the fs only at the very last step, long after pam_systemd set it up for you. sshd could place its creds there, and the PAM auth modules could add more into it, and then as last step you just flush all that was collected to the dir. This would be quite nice given that that way an aborted PAM sessions setup could never leave the half setup pre-created dir around. -- Lennart Poettering - Red Hat, Inc. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
