Headsup! krb5 ccache defaults are changing in Rawhide
Daniel J Walsh
dwalsh at redhat.com
Fri Feb 24 14:10:02 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/24/2012 08:44 AM, David Quigley wrote:
> On 02/24/2012 00:22, Simo Sorce wrote:
>> On Thu, 2012-02-23 at 20:41 -0500, David Quigley wrote:
>>> On 02/23/2012 14:28, Stephen Gallagher wrote:
>>>> Dear fellow developers,
>>>>
>>>> with the upcoming Fedora 18 release (currently Rawhide) we
>>>> are going to change the place where krb5 credential cache
>>>> files are saved by default.
>>>>
>>>> The new default for credential caches will be the
>>>> /run/user/<username> directory.
>>>>
>>>> The reason is to make credential saving a bit more
>>>> predictable while at the same time avoiding races. Along the
>>>> road we also gain a little bit more security by the fact that
>>>> /run is a tmpfs and therefore cached credentials are
>>>> automatically removed if the machine is shut off.
>>>>
>>>> We have opened bugs to change the default location in
>>>> libkrb5 https://bugzilla.redhat.com/show_bug.cgi?id=796429 in
>>>> sssd https://bugzilla.redhat.com/show_bug.cgi?id=786957 and
>>>> nfs-utils https://bugzilla.redhat.com/show_bug.cgi?id=786993
>>>>
>>>> Normal users should not experience issues once these
>>>> components are fixed, however because the
>>>> /run/user/<username> directory is created by PAM it means
>>>> this directory is not normally created for daemons that may
>>>> run as a system user.
>>>>
>>>> One such case is mod_auth_kerb that recently gained the
>>>> ability to kinit with an HTTP/ keytab in order to support the
>>>> s4u2proxy feature.
>>>>
>>>> For daemons that use a keytab to kinit because they act as
>>>> clients (as opposed to just server that accept kerberos
>>>> connections), it may be needed to add a configuration
>>>> snipppet in their configuration file under /etc/tmpfiles.d so
>>>> that /run/user/<username> is created with the correct
>>>> permissions (700) and user ownership.
>>>>
>>>> For example, httpd would add the following line to the
>>>> /etc/tmpfiles.d/httpd.conf:
>>>>
>>>> d /var/run/user/apache 700 apache apache
>>>>
>>>> If you know your daemon requires a credential cache file and
>>>> does not specify one on its own but instead relies on the
>>>> default location, then you should open a ticket in bugzilla
>>>> and add the necessary configuration to tmpfiles.d
>>>>
>>>> If you have any questions feel free to contact any of the
>>>> people in CC.
>>>>
>>>> -- Stephen Gallagher * Red Hat, Inc * Massachusetts
>>>
>>> (apologies if you get this twice. I sent it from the wrong
>>> address.)
>>>
>>> Please make sure to have any SELinux related things fixed at
>>> the same time (setting proper labels, extening policy etc).
>>> Where are the creds currently stored? Once we have that one of
>>> us can check if the old and new locations have the same
>>> security information or if we have to fix that.
>>
>> Dan Walsh is one of the owners of the feature. You can blame him
>> if SELinux policies are broken! :-D
>>
>> Simo.
>>
>> -- Simo Sorce * Red Hat, Inc * New York
>
> Ok just wanted to make sure that Dan or one of us was involved.
> I'll make sure to blame him if things break :)
Actually the current label for both locations is user_tmp_t. Although
there has been some though to changing the label of /run/user/USERNAME
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk9HmjoACgkQrlYvE4MpobNZ7wCgq8vN5p3Ncd8IW6SyG79Snezb
qoUAoMQ1uQz68/9OZDoOHbhHlWrCfGi9
=Zd1F
-----END PGP SIGNATURE-----
More information about the devel
mailing list