[38574] in Kerberos
Re: krb5 library missing functions for collections
daemon@ATHENA.MIT.EDU (Charles Hedrick)
Mon Jul 22 13:51:25 2019
From: Charles Hedrick <hedrick@rutgers.edu>
To: Greg Hudson <ghudson@mit.edu>
Date: Mon, 22 Jul 2019 17:51:12 +0000
Message-ID: <5B531722-25DF-4C51-8A1D-5BB5278D7A3F@rutgers.edu>
In-Reply-To: <9f9094e8-4e89-f9f9-e902-4f144a54b97f@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Jul 22, 2019, at 1:00 PM, Greg Hudson <ghudson@mit.edu<mailto:ghudson@mit.edu>> wrote:
By my reading, KEYRING also doesn't generally include the uid in the name.
Again, I can only speak for what I see in Redhat and Ubuntu. The default for KRB5CCNAME is KEYRING:persistent:UID. Something (I think a combination of the library and the kernel) prevents users from accessing anything that doesn’t start with KEYRING:persistent:UID with their own UID. Root can access them all.
KEYRING:persistent:UID is a collection. All actual caches are KEYRING:persistent:UID:stuff, so there’s no ambiguity.
There are other formats for KEYRING for per-process, etc., but as far as I know they’re not used and would be pretty hard to use except for inside a specific application.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
