Proposed new krb5 FILE ccache protocol

[Nico Williams]

On Tue, Jan 28, 2014 at 10:41 PM, Russ Allbery <eagle at eyrie.org> wrote:
> Nico Williams <nico at cryptonector.com> writes:
>
>> The ancillary directory can be in $TMPDIR (we can assume at least /tmp),
>> and the main file can be written by truncation as a fallback (with all
>> the problems that that entails).
>
> I'm dubious that the Kerberos libraries can safely assume that $TMPDIR or
> /tmp are available.  Do they currently assume that somewhere?  (I'm
> thinking of chroot cases, SELinux and other MAC use cases, jails,
> namespace restrictions on Linux, etc.)

Good question.  It's not about what POSIX says either.  All bets are
off with chroot (since it's up to who sets up the space to chroot
into).  As for jails and such, I very much expect them to have a /tmp
if they are to be general-purpose.

Nico
--