> I suspect that won't update the Kerberos variable in the environment. Please > check whether the value of > > < /proc/"$(pgrep firefox)"/environ xargs -0L1 | grep KRB > > reflects the updated or the old value. If the latter, simplest is to log out > and > in again so the whole environment gets hold of the updated variable.
The command output is empty because no 'KRB' environment variables are set. I entered the namespace with 'sudo nsenter -a -t "$(pgrep firefox)"' and see that the Kerberos configuration files '/etc/krb5.conf' and '/etc/krb5.conf.d/*' are both available. The same was true after a restart. >Yes in general, but /tmp is special, see [1]. Maybe you would be interested in >this bypass[2]. > >[1]https://ubuntu.com/core/docs/security-and-sandboxing >[2]https://askubuntu.com/questions/1263843/how-to-allow-snap-applications-to-access-tmp-folder Looks like I'd have to change the ccache location to the specific user's home directory unless I can then remount the remounted global /tmp into the Snap sandbox's /tmp. I'm not sure if that's possible... or wise. >> The kerberos is one, but the other one is the issue of snap packages not >> using the system certificate store, preventing secure use of organizational >> CAs. > >I wonder if that is part of what's going on here. For the Firefox Snap we use >the policy 'SecurityDevices' in order to point Firefox to >'/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so' which causes the Firefox >Snap to use the organizational CAs included in the system trust store. Based >on old code comments, this didn't appear to work in 20.04 (probably), but it >does work in 22.04 and 24.04. > >I'm not sure how the 'SecurityDevices' policy interacts with Kerberos. I'd >guess that the Firefox Snap and Kerberos libraries are separate in this >regard. Especially given that 'SecurityDevices' pointing to p11-kit is working >in 24.04 while Kerberos is not (at least for our set-up). I tried to test whether or not our organization's CAs were being used in the sandbox by running the 'klist' and 'kinit' tools in the Snap sandbox, but they are not available. I'm not sure how I can test this further. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1849346 Title: [snap] kerberos GSSAPI no longer works after deb->snap transition Status in Mozilla Firefox: New Status in snapd: New Status in chromium-browser package in Ubuntu: In Progress Status in firefox package in Ubuntu: In Progress Bug description: Workaround ---------- Add default_ccache_name = FILE:/run/user/%{euid}/krb5cc to the [libdefaults] section of /etc/krb5.conf so that the Kerberos credentials are stored in a file path a snapped application can read. Acknowledgement: For many that can't work for {different reasons}, as stated in multiple comments below. Nonetheless it is worth a mention. Original report --------------- I configure AuthServerWhitelist as documented: https://www.chromium.org/developers/design-documents/http- authentication and can see my whitelisted domains in chrome://policy/ but websites that used to work with SPNEGO/GSSAPI/kerberos no longer work. I'm guessing the snap needs some sort of permission to use the kerberos ticket cache (or the plumbing to do so doesn't exist...). I can confirm that Chrome has the desired behavior. To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/1849346/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
