-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/24/2012 08:44 AM, David Quigley wrote:
On 02/24/2012 00:22, Simo Sorce wrote:
> On Thu, 2012-02-23 at 20:41 -0500, David Quigley wrote:
>> On 02/23/2012 14:28, Stephen Gallagher wrote:
>>> Dear fellow developers,
>>>
>>> with the upcoming Fedora 18 release (currently Rawhide) we
>>> are going to change the place where krb5 credential cache
>>> files are saved by default.
>>>
>>> The new default for credential caches will be the
>>> /run/user/<username> directory.
>>>
>>> The reason is to make credential saving a bit more
>>> predictable while at the same time avoiding races. Along the
>>> road we also gain a little bit more security by the fact that
>>> /run is a tmpfs and therefore cached credentials are
>>> automatically removed if the machine is shut off.
>>>
>>> We have opened bugs to change the default location in
>>> libkrb5
https://bugzilla.redhat.com/show_bug.cgi?id=796429 in
>>> sssd
https://bugzilla.redhat.com/show_bug.cgi?id=786957 and
>>> nfs-utils
https://bugzilla.redhat.com/show_bug.cgi?id=786993
>>>
>>> Normal users should not experience issues once these
>>> components are fixed, however because the
>>> /run/user/<username> directory is created by PAM it means
>>> this directory is not normally created for daemons that may
>>> run as a system user.
>>>
>>> One such case is mod_auth_kerb that recently gained the
>>> ability to kinit with an HTTP/ keytab in order to support the
>>> s4u2proxy feature.
>>>
>>> For daemons that use a keytab to kinit because they act as
>>> clients (as opposed to just server that accept kerberos
>>> connections), it may be needed to add a configuration
>>> snipppet in their configuration file under /etc/tmpfiles.d so
>>> that /run/user/<username> is created with the correct
>>> permissions (700) and user ownership.
>>>
>>> For example, httpd would add the following line to the
>>> /etc/tmpfiles.d/httpd.conf:
>>>
>>> d /var/run/user/apache 700 apache apache
>>>
>>> If you know your daemon requires a credential cache file and
>>> does not specify one on its own but instead relies on the
>>> default location, then you should open a ticket in bugzilla
>>> and add the necessary configuration to tmpfiles.d
>>>
>>> If you have any questions feel free to contact any of the
>>> people in CC.
>>>
>>> -- Stephen Gallagher * Red Hat, Inc * Massachusetts
>>
>> (apologies if you get this twice. I sent it from the wrong
>> address.)
>>
>> Please make sure to have any SELinux related things fixed at
>> the same time (setting proper labels, extening policy etc).
>> Where are the creds currently stored? Once we have that one of
>> us can check if the old and new locations have the same
>> security information or if we have to fix that.
>
> Dan Walsh is one of the owners of the feature. You can blame him
> if SELinux policies are broken! :-D
>
> Simo.
>
> -- Simo Sorce * Red Hat, Inc * New York
Ok just wanted to make sure that Dan or one of us was involved.
I'll make sure to blame him if things break :)
Actually the current label for both locations is user_tmp_t. Although
there has been some though to changing the label of /run/user/USERNAME
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
iEYEARECAAYFAk9HmjoACgkQrlYvE4MpobNZ7wCgq8vN5p3Ncd8IW6SyG79Snezb
qoUAoMQ1uQz68/9OZDoOHbhHlWrCfGi9
=Zd1F
-----END PGP SIGNATURE-----