Discussion:
[Freeipa-devel] [freeipa PR#723][opened] Store GSSAPI session key in /var/run/httpd
MartinBasti
2017-04-20 08:41:08 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/723
Author: MartinBasti
Title: #723: Store GSSAPI session key in /var/run/httpd
Action: opened

PR body:
"""
Runtime data should be stored in /var/run instead of /etc/httpd/alias.
This change is also compatible with selinux policy.

https://pagure.io/freeipa/issue/6880
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/723/head:pr723
git checkout pr723
HonzaCholasta
2017-04-20 08:59:50 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/723
Title: #723: Store GSSAPI session key in /var/run/httpd

HonzaCholasta commented:
"""
Could we put the mod_auth_gssapi session key in `/var/run/ipa/session.key`? `/var/run/ipa` is where we store IPA-specific stuff, including mod_auth_gssapi ccaches.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-295641802
MartinBasti
2017-04-20 09:04:04 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/723
Title: #723: Store GSSAPI session key in /var/run/httpd

MartinBasti commented:
"""
Sure
"""

See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-295643034
MartinBasti
2017-04-20 10:11:30 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/723
Author: MartinBasti
Title: #723: Store GSSAPI session key in /var/run/httpd
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/723/head:pr723
git checkout pr723
tomaskrizek
2017-04-21 12:39:13 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/723
Title: #723: Store GSSAPI session key in /var/run/httpd

tomaskrizek commented:
"""
Functional ACK. There was a concern in the ticket's discussion about reboots - are we going to handle them?
"""

See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-296179626
MartinBasti
2017-04-27 08:42:27 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/723
Title: #723: Store GSSAPI session key in /var/run/httpd

Label: +ack
Simo Sorce
2017-04-27 12:28:39 UTC
Permalink
  URL: https://github.com/freeipa/freeipa/pull/723
Title: #723: Store GSSAPI session key in /var/run/httpd
Label: +ack
Guys I explained in the bug[1] that this is wrong, why was this acked
and pushed ?

Besides how does this even work ? /var/run/ipa is owned by root and
apache has no rights to create files there and the patch does not
address any permission problem.

I assume what happens is that now mod_auth_gssapi is runnig with an
ephemeral in-process key, which means any reload or restart of apache
will change the key.

Please revert!

Simo.

[1] https://pagure.io/freeipa/issue/6880#comment-437767
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute
MartinBasti
2017-04-27 08:42:43 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/723
Title: #723: Store GSSAPI session key in /var/run/httpd

MartinBasti commented:
"""
This approach was agreed on devel meeting
"""

See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-297651621
martbab
2017-04-27 10:36:11 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/723
Title: #723: Store GSSAPI session key in /var/run/httpd

martbab commented:
"""
master:

* 2bab2d4963daa99742875f3633a99966bc56f5a3 Store GSSAPI session key in /var/run/ipa
ipa-4-5:

* b2aa3ed0bc9f5385ab6e8b1720d9f1d33136e5dc Store GSSAPI session key in /var/run/ipa
"""

See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-297677527
martbab
2017-04-27 10:36:19 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/723
Title: #723: Store GSSAPI session key in /var/run/httpd

Label: +pushed
martbab
2017-04-27 10:36:22 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/723
Author: MartinBasti
Title: #723: Store GSSAPI session key in /var/run/httpd
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/723/head:pr723
git checkout pr723
simo5
2017-04-27 12:30:21 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/723
Title: #723: Store GSSAPI session key in /var/run/httpd

simo5 commented:
"""
This patch is wrong please revert
"""

See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-297699615
simo5
2017-04-27 12:30:28 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/723
Author: MartinBasti
Title: #723: Store GSSAPI session key in /var/run/httpd
Action: reopened

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/723/head:pr723
git checkout pr723
simo5
2017-04-27 12:38:04 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/723
Title: #723: Store GSSAPI session key in /var/run/httpd

simo5 commented:
"""
As I noted in the ticket: "At most you may want to store it in /var/lib/ipa/somewhere, but we do not want to break sessions (there are people using APIs from non-interactive scripts) just because you needed to restart a service/server quickly.
These keys are considered long term keys, and should not be thrown away at each reboot."

Let me also add that:
1. the directory needs to be writable by the apache user as the key is created the first time the server is started
2. only the apache user must be able to read this key
"""

See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-297701218
simo5
2017-04-27 12:39:02 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/723
Title: #723: Store GSSAPI session key in /var/run/httpd

simo5 commented:
"""
The current patch moved the key in a place where apache cannot write, resulting in an ephemeral key that is thrown away each time apache is restarted/reloaded.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-297701456
pvoborni
2017-04-28 08:11:09 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/723
Title: #723: Store GSSAPI session key in /var/run/httpd

Label: -ack
pvoborni
2017-04-28 08:11:17 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/723
Title: #723: Store GSSAPI session key in /var/run/httpd

Label: -pushed
MartinBasti
2017-05-02 12:56:10 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/723
Title: #723: Store GSSAPI session key in /var/run/httpd

Label: +rejected
MartinBasti
2017-05-02 12:56:32 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/723
Title: #723: Store GSSAPI session key in /var/run/httpd

MartinBasti commented:
"""
The issue will be fixed on the SELinux side
"""

See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-298627474
MartinBasti
2017-05-02 12:56:38 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/723
Author: MartinBasti
Title: #723: Store GSSAPI session key in /var/run/httpd
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/723/head:pr723
git checkout pr723

Loading...