#6880 Store GSSAPI session key in /var/run/httpd directory instead of /etc/httpd/alias
Closed: wontfix 5 years ago Opened 5 years ago by mbasti.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1443557

GSSAPI session key is not static configuration but dynamic data, thus it should be stored in /var/run/httpd to avoid SElinux issues.


Metadata Update from @mbasti:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1443557
- Issue set to the milestone: FreeIPA 4.5.1

5 years ago

Metadata Update from @mbasti:
- Issue assigned to mbasti

5 years ago

Does /var/run/httpd survive a reboot?

At worst, it would affect those sessions which were created before last reboot. I think we can afford that. Session max age is 1800 seconds right now so we are talking about 30 minutes difference.

Please don't.
At most you may want to store it in /var/lib/ipa/somewhere, but we do not want to break sessions (there are people using APIs from non-interactive scripts) just because you needed to restart a service/server quickly.
These keys are considered long term keys, and should not be thrown away at each reboot.

Restarting apache wouldn't be a problem. Rebooting server would only affect existing sessions of 1800 seconds long. Non-interactive scripts have to acquire session anyway, their inability to do so in a window of 30 minutes points to actual issues with the script.

master:

  • 2bab2d4 Store GSSAPI session key in /var/run/ipa

ipa-4-5:

  • b2aa3ed Store GSSAPI session key in /var/run/ipa

Additional info from @simo:

Let me also add that:

the directory needs to be writable by the apache user as the key is created the first time the server is started
only the apache user must be able to read this key

Metadata Update from @mbabinsk:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 years ago

Metadata Update from @mbabinsk:
- Issue status updated to: Open (was: Closed)

5 years ago

The fix was shown to be incorrect so I am reverting the patches and reopening issue:

ipa-4-5:

  • a4e1ab6 Revert "Store GSSAPI session key in /var/run/ipa"

master:

  • 50f6883 Revert "Store GSSAPI session key in /var/run/ipa"

Metadata Update from @pvoborni:
- Issue priority set to: blocker
- Issue tagged with: regression, testblocker

5 years ago

This was fixed on SElinux side.

Metadata Update from @mbasti:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata