Fedora ticket cache location
Stephen Gallagher
sgallagh at redhat.com
Mon Jun 11 10:18:18 EDT 2012
On Mon, 2012-06-11 at 09:27 -0400, Sam Hartman wrote:
> >>>>> "Stephen" == Stephen Gallagher <sgallagh at redhat.com> writes:
>
> Stephen> DIR:/run/user/<username>/krb5cc so that the location is 1) guaranteed to
> Stephen> be readable only by the user (or root) and protectable by SELinux and 2)
> Stephen> supports the multiple-TGT feature of recent krb5 and 3) is stored on a
> Stephen> tmpfs system so that it is not retrievable on a stolen laptop by
> Stephen> rebooting to single-user mode.
>
> Can we get clarity about <username> in the above?
> There are a number of ways to get the username in a process. From sssd's
> standpoint, it doesn't matter , but we should be clear about what krb5
> should do here. As an example of the possibilites:
>
> * LOGNAME environment variable
>
> * USER environment variable
>
> * getpwuid(get?uid())
>
> * getlogin() which is probably right for BSD but is kind of a bad idea
> for Linux because of the utmp dependency
>
Well, we're also discussing the possibility of having a link (sym- or
hard-) between /run/user/<UID> and /run/user/<username>. Would that make
anything easier on you?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20120611/d929356a/attachment.bin
More information about the krbdev
mailing list