Issue #6880: Store GSSAPI session key in /var/run/httpd directory instead of /etc/httpd/alias - freeipa

freeipa

#6880 Store GSSAPI session key in /var/run/httpd directory instead of /etc/httpd/alias

Closed: wontfix 6 years ago Opened 7 years ago by mbasti.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1443557

GSSAPI session key is not static configuration but dynamic data, thus it should be stored in /var/run/httpd to avoid SElinux issues.

Metadata Update from @mbasti:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1443557
- Issue set to the milestone: FreeIPA 4.5.1

7 years ago

Metadata Update from @mbasti:
- Issue assigned to mbasti

7 years ago

cheimes commented 7 years ago

Does /var/run/httpd survive a reboot?

mbasti commented 7 years ago

abbra commented 7 years ago

At worst, it would affect those sessions which were created before last reboot. I think we can afford that. Session max age is 1800 seconds right now so we are talking about 30 minutes difference.

simo commented 6 years ago

Please don't.
At most you may want to store it in /var/lib/ipa/somewhere, but we do not want to break sessions (there are people using APIs from non-interactive scripts) just because you needed to restart a service/server quickly.
These keys are considered long term keys, and should not be thrown away at each reboot.

abbra commented 6 years ago

Restarting apache wouldn't be a problem. Rebooting server would only affect existing sessions of 1800 seconds long. Non-interactive scripts have to acquire session anyway, their inability to do so in a window of 30 minutes points to actual issues with the script.

mbabinsk commented 6 years ago

master:

2bab2d4 Store GSSAPI session key in /var/run/ipa

ipa-4-5:

b2aa3ed Store GSSAPI session key in /var/run/ipa

Additional info from @simo:

Let me also add that:

the directory needs to be writable by the apache user as the key is created the first time the server is started
only the apache user must be able to read this key

Edited 6 years ago by mbabinsk

Metadata Update from @mbabinsk:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata Update from @mbabinsk:
- Issue status updated to: Open (was: Closed)

6 years ago

mbabinsk commented 6 years ago

The fix was shown to be incorrect so I am reverting the patches and reopening issue:

ipa-4-5:

a4e1ab6 Revert "Store GSSAPI session key in /var/run/ipa"

master:

50f6883 Revert "Store GSSAPI session key in /var/run/ipa"

Metadata Update from @pvoborni:
- Issue priority set to: blocker
- Issue tagged with: regression, testblocker

6 years ago

mbasti commented 6 years ago

This was fixed on SElinux side.

Metadata Update from @mbasti:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata

Assignee

mbasti

Tags

Blocking

None

Depending on

None

Priority

critical

Milestone

FreeIPA 4.5.1

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1443557

tester

None

changelog

None

design

None

freeipa

Source Code

#6880 Store GSSAPI session key in /var/run/httpd directory instead of /etc/httpd/alias Closed: wontfix 6 years ago Opened 7 years ago by mbasti.

Metadata

testblocker regression

#6880 Store GSSAPI session key in /var/run/httpd directory instead of /etc/httpd/alias

Closed: wontfix 6 years ago Opened 7 years ago by mbasti.