Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Store GSSAPI session key in /var/run/httpd #723

Closed
wants to merge 1 commit into from
Closed

Store GSSAPI session key in /var/run/httpd #723

wants to merge 1 commit into from

Conversation

MartinBasti
Copy link
Contributor

@MartinBasti MartinBasti commented Apr 20, 2017
edited by martbab

Runtime data should be stored in /var/run instead of /etc/httpd/alias.
This change is also compatible with selinux policy.

https://pagure.io/freeipa/issue/6880

@HonzaCholasta
Copy link
Contributor

Could we put the mod_auth_gssapi session key in /var/run/ipa/session.key? /var/run/ipa is where we store IPA-specific stuff, including mod_auth_gssapi ccaches.

@MartinBasti
Copy link
Contributor Author

Sure

@MartinBasti
Store GSSAPI session key in /var/run/ipa
317c894 
Runtime data should be stored in /var/run instead of /etc/httpd/alias.
This change is also compatible with selinux policy.

https://pagure.io/freeipa/issue/6880
@tkrizek tkrizek self-assigned this Apr 21, 2017
@tkrizek
Copy link
Contributor

tkrizek commented Apr 21, 2017

Functional ACK. There was a concern in the ticket's discussion about reboots - are we going to handle them?

@MartinBasti MartinBasti added the ack Pull Request approved, can be merged label Apr 27, 2017
@MartinBasti
Copy link
Contributor Author

This approach was agreed on devel meeting

@martbab martbab added the pushed Pull Request has already been pushed label Apr 27, 2017
@martbab
Copy link
Contributor

martbab commented Apr 27, 2017

master:

  • 2bab2d4 Store GSSAPI session key in /var/run/ipa
    ipa-4-5:

  • b2aa3ed Store GSSAPI session key in /var/run/ipa

@martbab martbab closed this Apr 27, 2017
@simo5
Copy link
Contributor

simo5 commented Apr 27, 2017

This patch is wrong please revert

@simo5 simo5 reopened this Apr 27, 2017
@simo5
Copy link
Contributor

simo5 commented Apr 27, 2017

As I noted in the ticket: "At most you may want to store it in /var/lib/ipa/somewhere, but we do not want to break sessions (there are people using APIs from non-interactive scripts) just because you needed to restart a service/server quickly.
These keys are considered long term keys, and should not be thrown away at each reboot."

Let me also add that:

  1. the directory needs to be writable by the apache user as the key is created the first time the server is started
  2. only the apache user must be able to read this key

@simo5
Copy link
Contributor

simo5 commented Apr 27, 2017

The current patch moved the key in a place where apache cannot write, resulting in an ephemeral key that is thrown away each time apache is restarted/reloaded.

@pvoborni pvoborni removed ack Pull Request approved, can be merged pushed Pull Request has already been pushed labels Apr 28, 2017
@MartinBasti MartinBasti added the rejected Pull Request has been rejected label May 2, 2017
@MartinBasti
Copy link
Contributor Author

The issue will be fixed on the SELinux side

@MartinBasti MartinBasti closed this May 2, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@tkrizek tkrizek

Labels
rejected Pull Request has been rejected
Projects
None yet
Milestone
No milestone
6 participants
@MartinBasti @HonzaCholasta @tkrizek @martbab @simo5 @pvoborni