I fail to see why non-root processes should be trying to
read /etc/krb5.keytab at all. You should be generating a per-service
keytab with only the keys necessary for that service to authenticate
itself to the KDC. So you might have /etc/dovecot/dovecot.keytab which
is readable only by the dovecot user.

The problem with allowing access to /etc/krb5.keytab is that it means
that an exploit in another process (especially a mail server!) could
gain access to the keys necessary to impersonate your host in kerberized
applications on the network. That's really dangerous.
Right, but that's exactly what is happening with kerberized BIND, right? As far as I understand, you need to chown /etc/krb5.keytab to 'named' first.
In general, you are probably right, the only problem is that most of the Linux 
kerberized services expect krb5.keytab in /etc.
Moreover, in situation where winbind (or later maybe even sssd, for example) maintains the system Kerberos database, we would need some means to tell him to maintain more database files on multiple locations - and that is too messy.

Maybe a time to introduce some simple database layer on the top of the /etc/krb5.keytab which would handle the permissions correctly? Applications/services would need to talk to this layer and not krb5.keytab directly.


Ondrej


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Proud winners of the prestigious Irish Software Exporter Award 2011 from Irish 
Exporters Association (IEA).  Please, refer to our web site for more details 
regarding the award.
--------
The information contained in this e-mail and in any attachments is confidential 
and is designated solely for the attention of the intended recipient(s). If you 
are not an intended recipient, you must not use, disclose, copy, distribute or 
retain this e-mail or any part thereof. If you have received this e-mail in 
error, please notify the sender by return e-mail and delete all copies of this 
e-mail from your computer system(s).
Please direct any additional queries to: communicati...@s3group.com.
Thank You.
Silicon and Software Systems Limited. Registered in Ireland no. 378073.
Registered Office: South County Business Park, Leopardstown, Dublin 18
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to