Proposed new krb5 FILE ccache protocol
Nico Williams
nico at cryptonector.com
Wed Jan 29 00:16:12 EST 2014
On Tue, Jan 28, 2014 at 11:01 PM, Nico Williams <nico at cryptonector.com> wrote:
> On Tue, Jan 28, 2014 at 10:41 PM, Russ Allbery <eagle at eyrie.org> wrote:
>> Nico Williams <nico at cryptonector.com> writes:
>>
>>> The ancillary directory can be in $TMPDIR (we can assume at least /tmp),
>>> and the main file can be written by truncation as a fallback (with all
>>> the problems that that entails).
>>
>> I'm dubious that the Kerberos libraries can safely assume that $TMPDIR or
>> /tmp are available. Do they currently assume that somewhere? (I'm
>> thinking of chroot cases, SELinux and other MAC use cases, jails,
>> namespace restrictions on Linux, etc.)
And to answer your question, krb5_cc_new_unique/gen_new() for the FILE
ccache to refer to /tmp by default, and a variety of functions,
including krb5_cc_default_name(), support expansion of a TEMP token to
whatever $TMPDIR is.
That said, there are surprisingly few uses of mkstemp() and friends in
the library.
Nico
--
More information about the krbdev
mailing list