Headsup! krb5 ccache defaults are changing in Rawhide

Fri Feb 24 05:22:10 UTC 2012

On Thu, 2012-02-23 at 20:41 -0500, David Quigley wrote:
> On 02/23/2012 14:28, Stephen Gallagher wrote:
> > Dear fellow developers,
> >
> > with the upcoming Fedora 18 release (currently Rawhide) we are going 
> > to
> > change the place where krb5 credential cache files are saved by 
> > default.
> >
> > The new default for credential caches will be the 
> > /run/user/<username>
> > directory.
> >
> > The reason is to make credential saving a bit more predictable while 
> > at
> > the same time avoiding races. Along the road we also gain a little 
> > bit
> > more security by the fact that /run is a tmpfs and therefore cached
> > credentials are automatically removed if the machine is shut off.
> >
> > We have opened bugs to change the default location in libkrb5
> > https://bugzilla.redhat.com/show_bug.cgi?id=796429 in sssd
> > https://bugzilla.redhat.com/show_bug.cgi?id=786957 and nfs-utils
> > https://bugzilla.redhat.com/show_bug.cgi?id=786993
> >
> > Normal users should not experience issues once these components are
> > fixed, however because the /run/user/<username> directory is created 
> > by
> > PAM it means this directory is not normally created for daemons that 
> > may
> > run as a system user.
> >
> > One such case is mod_auth_kerb that recently gained the ability to 
> > kinit
> > with an HTTP/ keytab in order to support the s4u2proxy feature.
> >
> > For daemons that use a keytab to kinit because they act as clients 
> > (as
> > opposed to just server that accept kerberos connections), it may be
> > needed to add a configuration snipppet in their configuration file
> > under /etc/tmpfiles.d so that /run/user/<username> is created with 
> > the
> > correct permissions (700) and user ownership.
> >
> > For example, httpd would add the following line to
> > the /etc/tmpfiles.d/httpd.conf:
> >
> > d /var/run/user/apache   700 apache apache
> >
> > If you know your daemon requires a credential cache file and does not
> > specify one on its own but instead relies on the default location, 
> > then
> > you should open a ticket in bugzilla and add the necessary 
> > configuration
> > to tmpfiles.d
> >
> > If you have any questions feel free to contact any of the people in 
> > CC.
> >
> > --
> > Stephen Gallagher * Red Hat, Inc * Massachusetts
> 
> (apologies if you get this twice. I sent it from the wrong address.)
> 
> Please make sure to have any SELinux related things fixed at the same 
> time (setting proper labels, extening policy etc). Where are the creds 
> currently stored? Once we have that one of us can check if the old and 
> new locations have the same security information or if we have to fix 
> that.

Dan Walsh is one of the owners of the feature.
You can blame him if SELinux policies are broken! :-D

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York