On Mon, 2018-12-03 at 12:12 +0300, Levin Stanislav wrote:
So, my question are there any other known limitations of utilization of
gssproxy non-privileged user?
Although not recommended gss-proxy can be configured to worK on other
user's ccaches.
For example to allow privilege-separation such that only GSS-Proxy can
use the keytab for obtaining tickets but still let application that
somehow mix GSSAPI and raw libkrb5 calls to work by writing a user
accessible ccache. In this case GSS-Proxy needs to run as root with DAC
Override I think.
There may be other similar corner case uses, but for main uses it
should be ok to run as an unprivileged user. Please open an Issue/PR if
you need anything changed in GSS-Proxy to work in your setup.
HTH,
Simo.
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc