Fedora ticket cache location
Sam Hartman
hartmans at MIT.EDU
Mon Jun 11 09:27:08 EDT 2012
>>>>> "Stephen" == Stephen Gallagher <sgallagh at redhat.com> writes:
Stephen> DIR:/run/user/<username>/krb5cc so that the location is 1) guaranteed to
Stephen> be readable only by the user (or root) and protectable by SELinux and 2)
Stephen> supports the multiple-TGT feature of recent krb5 and 3) is stored on a
Stephen> tmpfs system so that it is not retrievable on a stolen laptop by
Stephen> rebooting to single-user mode.
Can we get clarity about <username> in the above?
There are a number of ways to get the username in a process. From sssd's
standpoint, it doesn't matter , but we should be clear about what krb5
should do here. As an example of the possibilites:
* LOGNAME environment variable
* USER environment variable
* getpwuid(get?uid())
* getlogin() which is probably right for BSD but is kind of a bad idea
for Linux because of the utmp dependency
More information about the krbdev
mailing list