[OpenAFS] Re: openafs versus systemd

Jan Henrik Sylvester me@janh.de
Wed, 28 Jun 2023 16:18:00 +0200 

On 6/28/23 15:02, Jeffrey E Altman wrote:
> On 6/28/2023 3:54 AM, Jan Henrik Sylvester wrote:
>> On 6/9/23 13:38, Jan Henrik Sylvester wrote:
>>> - you cannot use snap packaged with a home directory outside /home: 
>>> use ppa:mozillateam/ppa for Firefox and Google Chrome instead of 
>>> Chromium
>>
>> Correction: This does not seem to be true anymore.
>>
>> snap set system homedirs=/afs/math.uni-hamburg.de/users
>>
>> works for Ubuntu 22.04.
>>
>> The Firefox snap does start with this setting. We have very limited 
>> experience with this setting. Kerberos authentication does not work in 
>> Firefox snap, which is a known problem (independent of AFS).
>>
> What credential cache type is in use?
> 
> The underlying issues are the same as for PAGs.  The assumption is that 
> a 'uid' represents all of the authorization credentials associated with 
> the user.   If the Kerberos credential cache is using a session keyring 
> or something that is not global to the 'uid', then there will be no 
> Kerberos TGT available to snap.

Maybe I was not clear enough. Accessing the home directories from 
Firefox is not the issue. Kerberized http is the issue:

https://bugzilla.mozilla.org/show_bug.cgi?id=1734791

There is apparmor, there is snap sandboxing. It is not just about the 
PAGs or keyrings.

We do use a file based Kerberos cache in /tmp (which is blocked by 
apparmor for Firefox, which is not the only issue according to the bug 
report). Yes, we could try to change that. All I wanted to say is 
getting snap packages to run with AFS home directories may not 
immediately solve all problems that come with snap packages in general.

With the deb package, we ended up completely disabling the Firefox 
apparmor profile to solve some other problems. We have not investigated 
that with the snap package, yet. Moreover, there is the question whether 
or not apparmor is useful in general if we have to disable it for 
applications that are a huge attack surface to a desktop system such as 
Firefox or Libreoffice, because we cannot fix their apparmor profiles 
completely. Anyhow, these problems may not be directly related to AFS. 
For example, Libreoffice with AFS home directory works fine with 
apparmor for the Ubuntu desktop environment, but fails for the Plasma 
desktop environment as long as the apparmor profile is active.

BTW: The solution to the snap problem is a bit unexpected, since the 
documentation states that "snap set system homedirs=" is available from 
snapd 2.59 onwards, but Ubuntu 22.04 has snapd 2.58. Anyhow, it does 
work with Ubuntu 22.04.

Best,
Jan Henrik