[OpenAFS] Redux: Linux: systemctl --user vs. AFS
Jonathan Billings
billings@negate.org
Fri, 13 Aug 2021 11:48:12 -0400
On Fri, Aug 13, 2021 at 05:38:54PM +0200, Dirk Heinrichs wrote:
>
> Jonathan Billings:
>
> > # Set ccache name
> > export KRB5CCNAME="KEYRING:persistent:$UID"
>
> Am I correct to assume that the "regular" login session also needs to be
> configured this way?
>
> Thanks...
Yes, I have this in my /etc/krb5.conf:
[libdefaults]
default_ccache_name = KEYRING:persistent:%{uid}
By default it is "FILE:/tmp/krb5cc_%{uid}" which isn't particularly
secure, as mentioned earlier in the thread.
Honestly, it might be ok if it was "FILE:/run/user/%{uid}/ccache", but
I'm not sure if the XDG_RUNTIME_DIR is mounted before the ccache is
created. Files in /run/user/$UID are exclusively for the user, other
user's processes can't look into it, including root (although root can
get around that trivially, although same can be said for KEYRING and
KCM ccache types).
I'm not a Kerberos expert, so I trust what others have said about it.
--
Jonathan Billings <billings@negate.org>