Fedora ticket cache location
Russ Allbery
rra at stanford.edu
Thu Jun 7 18:12:57 EDT 2012
Nico Williams <nico at cryptonector.com> writes:
> On Thu, Jun 7, 2012 at 4:24 PM, Russ Allbery <rra at stanford.edu> wrote:
>> Apache, for one obvious example. I may have credentials for the LDAP
>> client module in Apache, but I don't want those inherited by CGI
>> scripts. Of course, that basically argues for creating new sessions
>> when spawning CGI scripts (but that isn't what happens now).
> If these scripts inherit the same privileges as Apache then I don't
> see why not inherit krb5 credentials by inheriting Apache's session.
> OTOH, if they don't inherit credentials, e.g., because Apache does a
> fork() and setuid() prior to exec()ing the scripts, then I think we have
> a way to tell when sessions should not be inherited.
Apache doesn't setuid in a normal configuration when running CGI scripts.
They run as the same user with the same credentials as the Apache worker
user, which is usually some unprivleged system user. This is okay,
usually, but it doesn't work as soon as you have some other Apache module
in play that acquires additional credentials.
It's possible that this problem will eventually go away in the new FastCGI
world, where CGI scripts are much more commonly spawned by an external
management daemon and communicate with your web server over UNIX domain
sockets.
> Note that PAGs don't get inherited across initgroups(3C) calls on
> systems where PAGs are implemented by stealing the last two
> supplementary groups and part of the GID namespace.
This has only ever been the case accidentally. The AFS kernel module,
prior to switching to keyrings to store the canonical PAG, intercepted the
initgroups() call to preserve the PAG.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list