Hello, Am Donnerstag, 14. Januar 2016 schrieb Howard Guo:
Till now the default ccache location has been: DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc
At least for winbindd, I tend to disagree (winbindd probably overrides the location). According to the AppArmor profile, we have 2328 apparmo | /tmp/krb5cc_* rwk, - updates for samba 4.x and kerberos (bnc#846586#c12 and #c15, bnc#845867, bnc#846054) 2461 apparmo | /var/cache/krb5rcache/* rw, - allow rw access to /var/cache/krb5rcache/* (bnc#870607)
Kerberos has added support for kernel keyring support for quite a while, so now it is a good opportunity to consider moving default ccache location to kernel keyring instead, which brings several advantages: - Avoiding involving the file system to reduce potential surface of attack. - Using kerberos utilities while in another user's shell (acquired by su or sudo) will no longer throw "credentials cache not found" error.
The move is unlikely to cause compatibility issues between Kerberos and identity management solutions such as SSSD and Winbind. SSSD reads the ccache location settings from kerberos and will adapt to the change automatically. Winbind supports keyring-type ccache and goes even further to commend it being "the most secure and predictable method".
Apart from those components above, are there other things I am missing?
Please check if winbind still works with AppArmor enabled after changing to the kernel keyring. (In other words: does using the kernel keyring need access to something in /proc/, /sys/ or /dev/?) I don't know or use Kerberos (actually I don't even use Samba anymore, but at least know it a bit), therefore I can't test myself. A similar question applies for dovecot, which can also use Kerberos. For more details, see the usr.lib.dovecot.auth AppArmor profile and https://bugzilla.novell.com/show_bug.cgi?id=851984 Some testing if Dovecot (with Kerberos configured) still works when using the kernel keyring would be welcome ;-) Regards, Christian Boltz --
(gnome packages are getting too few and too easy :P ) Be sure that I'll keep this quote for later when we'll suffer some pain with gnome packages ;-) [> Dominique Leuenberger and Vincent Untz in opensuse-factory]
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org