github-actions[bot] opened a new pull request, #67085: URL: https://github.com/apache/airflow/pull/67085
The Kerberos integration docs ship a default ccache path of `/tmp/airflow_krb5_ccache`, which sits in a world-readable directory on most Unix systems and would let any other local user on the host read or modify the Airflow service principal's credential cache. Add a warning recommending a non-world-accessible directory (a per-service runtime dir like `/run/airflow/krb5_ccache` or a private user-scoped location) and `chmod 0700` on the parent — mirroring the guidance the docs already give for the keytab. Reported by the L3 ASVS sweep at apache/tooling-agents#23 (FINDING-175). (cherry picked from commit da03584282c2e708c655c55fc07ccf9490a38a62) Co-authored-by: Jarek Potiuk <[email protected]> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
