Headsup! krb5 ccache defaults are changing in Rawhide
David Quigley
selinux at davequigley.com
Fri Feb 24 13:44:13 UTC 2012
On 02/24/2012 00:22, Simo Sorce wrote:
> On Thu, 2012-02-23 at 20:41 -0500, David Quigley wrote:
>> On 02/23/2012 14:28, Stephen Gallagher wrote:
>> > Dear fellow developers,
>> >
>> > with the upcoming Fedora 18 release (currently Rawhide) we are
>> going
>> > to
>> > change the place where krb5 credential cache files are saved by
>> > default.
>> >
>> > The new default for credential caches will be the
>> > /run/user/<username>
>> > directory.
>> >
>> > The reason is to make credential saving a bit more predictable
>> while
>> > at
>> > the same time avoiding races. Along the road we also gain a little
>> > bit
>> > more security by the fact that /run is a tmpfs and therefore
>> cached
>> > credentials are automatically removed if the machine is shut off.
>> >
>> > We have opened bugs to change the default location in libkrb5
>> > https://bugzilla.redhat.com/show_bug.cgi?id=796429 in sssd
>> > https://bugzilla.redhat.com/show_bug.cgi?id=786957 and nfs-utils
>> > https://bugzilla.redhat.com/show_bug.cgi?id=786993
>> >
>> > Normal users should not experience issues once these components
>> are
>> > fixed, however because the /run/user/<username> directory is
>> created
>> > by
>> > PAM it means this directory is not normally created for daemons
>> that
>> > may
>> > run as a system user.
>> >
>> > One such case is mod_auth_kerb that recently gained the ability to
>> > kinit
>> > with an HTTP/ keytab in order to support the s4u2proxy feature.
>> >
>> > For daemons that use a keytab to kinit because they act as clients
>> > (as
>> > opposed to just server that accept kerberos connections), it may
>> be
>> > needed to add a configuration snipppet in their configuration file
>> > under /etc/tmpfiles.d so that /run/user/<username> is created with
>> > the
>> > correct permissions (700) and user ownership.
>> >
>> > For example, httpd would add the following line to
>> > the /etc/tmpfiles.d/httpd.conf:
>> >
>> > d /var/run/user/apache 700 apache apache
>> >
>> > If you know your daemon requires a credential cache file and does
>> not
>> > specify one on its own but instead relies on the default location,
>> > then
>> > you should open a ticket in bugzilla and add the necessary
>> > configuration
>> > to tmpfiles.d
>> >
>> > If you have any questions feel free to contact any of the people
>> in
>> > CC.
>> >
>> > --
>> > Stephen Gallagher * Red Hat, Inc * Massachusetts
>>
>> (apologies if you get this twice. I sent it from the wrong address.)
>>
>> Please make sure to have any SELinux related things fixed at the
>> same
>> time (setting proper labels, extening policy etc). Where are the
>> creds
>> currently stored? Once we have that one of us can check if the old
>> and
>> new locations have the same security information or if we have to
>> fix
>> that.
>
> Dan Walsh is one of the owners of the feature.
> You can blame him if SELinux policies are broken! :-D
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
Ok just wanted to make sure that Dan or one of us was involved. I'll
make sure to blame him if things break :)
More information about the devel
mailing list