Default libkrb5 ccache location

[Lennart Poettering]

On Fri, 26.07.13 14:32, Stephen Gallagher (sgallagh at redhat.com) wrote:

> As Simo noted in the other thread, the availability of credentials
> outside the normal user session is an expectation of existing tools.
> The exposure here is significantly mitigated by the fact that Kerberos
> credentials are time-limited by the KDC.

So, let me get this right: you want a host-specific tmpfs location which
is never automatically cleaned up, but is a private namespace of the
user (though the system sometimes writes to it), correct?

That really sounds like a step backwards. Defining new runtime dirs without
immediately thinking about life-cycles is something we really shouldn't
do anymore.

XDG_RUNTIME_DIRS was introduced just because we want a clear
life-cycle.

Lennart

PS: as a side note. what do you actually create in XDG_RUNTIME_DIR? A
subdirectory?  You are aware of the inherent risks of sharing a
directory between system code and user code? It's extremely hard to
properly get a subdir created in such a dir without opening a security
hole.

PPS: if you give up on the unrestricted life-cycle and hence do still
want to use XDG_RUNTIME_DIR, and you don't want to pre-create the dir on your own:
you could just stick the cred cache into some PAM context var instead of
writing it to XDG_RUNTIME_DIR right away, and then write it to the fs
only at the very last step, long after pam_systemd set it up for
you. sshd could place its creds there, and the PAM auth modules could
add more into it, and then as last step you just flush all that was
collected to the dir. This would be quite nice given that that way an
aborted PAM sessions setup could never leave the half setup pre-created
dir around.

-- 
Lennart Poettering - Red Hat, Inc.