Headsup! krb5 ccache defaults are changing in Rawhide
David Quigley
selinux at davequigley.com
Fri Feb 24 01:41:34 UTC 2012
On 02/23/2012 14:28, Stephen Gallagher wrote:
> Dear fellow developers,
>
> with the upcoming Fedora 18 release (currently Rawhide) we are going
> to
> change the place where krb5 credential cache files are saved by
> default.
>
> The new default for credential caches will be the
> /run/user/<username>
> directory.
>
> The reason is to make credential saving a bit more predictable while
> at
> the same time avoiding races. Along the road we also gain a little
> bit
> more security by the fact that /run is a tmpfs and therefore cached
> credentials are automatically removed if the machine is shut off.
>
> We have opened bugs to change the default location in libkrb5
> https://bugzilla.redhat.com/show_bug.cgi?id=796429 in sssd
> https://bugzilla.redhat.com/show_bug.cgi?id=786957 and nfs-utils
> https://bugzilla.redhat.com/show_bug.cgi?id=786993
>
> Normal users should not experience issues once these components are
> fixed, however because the /run/user/<username> directory is created
> by
> PAM it means this directory is not normally created for daemons that
> may
> run as a system user.
>
> One such case is mod_auth_kerb that recently gained the ability to
> kinit
> with an HTTP/ keytab in order to support the s4u2proxy feature.
>
> For daemons that use a keytab to kinit because they act as clients
> (as
> opposed to just server that accept kerberos connections), it may be
> needed to add a configuration snipppet in their configuration file
> under /etc/tmpfiles.d so that /run/user/<username> is created with
> the
> correct permissions (700) and user ownership.
>
> For example, httpd would add the following line to
> the /etc/tmpfiles.d/httpd.conf:
>
> d /var/run/user/apache 700 apache apache
>
> If you know your daemon requires a credential cache file and does not
> specify one on its own but instead relies on the default location,
> then
> you should open a ticket in bugzilla and add the necessary
> configuration
> to tmpfiles.d
>
> If you have any questions feel free to contact any of the people in
> CC.
>
> --
> Stephen Gallagher * Red Hat, Inc * Massachusetts
(apologies if you get this twice. I sent it from the wrong address.)
Please make sure to have any SELinux related things fixed at the same
time (setting proper labels, extening policy etc). Where are the creds
currently stored? Once we have that one of us can check if the old and
new locations have the same security information or if we have to fix
that.
Dave
More information about the devel
mailing list