On Sat, Oct 05, 2013 at 05:29:04PM -0700, Russ Allbery wrote: > "brian m. carlson" <[email protected]> writes: > > > I am trying to use mpm_itk along with mod_auth_kerb to force > > authentication before running a CGI script as a user (in this case, the > > git smart HTTP server). However, mod_auth_kerb reads the keytab after > > it has dropped privileges, resulting in the problem that the user to > > which privileges have been dropped cannot read the keytab file. This > > is, of course, by design—ordinary users should not have access to the > > Apache keytab. > > > Would it be possible to read the keytab on startup before dropping > > privileges so that this use case (and suexec, and so on) works? > > Unfortunately, I believe that this would break KrbServiceName Any, which > at least for me is vital functionality. You would need to explicitly > import one particular set of credentials from the keytab, and you wouldn't > know which ones to import.
Would it? Can't we just open all the keytabs at the beginning, and then call krb5_kt_dup to clone the appropriate handle in each request, iterating over the duplicated handle and then closing it? I haven't tested it, but it looks possible to do from the krb5 API docs. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature
