Benjamin Coddington <[email protected]> writes:
> I'd like to avoid implementing the other ccache types because each type
> should be evaluated to allow webauth the opportunity to secure or deny
> the use of that ccache type. Because mod_webauth runs as the same user,
> a ccache is exposed to concurrent requests.
Ah, yes, good point.
> If you'll agree, I'll resubmit to support the KEYRING type modified to
> explicitly set the ccache's key permissions to only allow 'Possessor'
> access.
Sure, that sounds good.
I'm in the middle of doing a bunch of code refactoring, but I've not yet
touched the part that you're working on other than the configuration
parsing. I'll try not to break anything touched by your patch before it
goes in, but you may want to watch:
http://git.eyrie.org/?p=kerberos/webauth.git
to be sure you have the latest code. (I'm about to convert all the token
handling to APR, for example, which I don't think will touch what you're
doing, but which will touch some of the same files.)
--
Russ Allbery <[email protected]>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University
