> I suspect that won't update the Kerberos variable in the environment. Please > check whether the value of > > < /proc/"$(pgrep firefox)"/environ xargs -0L1 | grep KRB > > reflects the updated or the old value. If the latter, simplest is to log out > and > in again so the whole environment gets hold of the updated variable.
The command output is empty because no 'KRB' environment variables are set. I entered the namespace with 'sudo nsenter -a -t "$(pgrep firefox)"' and see that the Kerberos configuration files '/etc/krb5.conf' and '/etc/krb5.conf.d/*' are both available. The same was true after a restart. >Yes in general, but /tmp is special, see [1]. Maybe you would be interested in >this bypass[2]. > >[1]https://ubuntu.com/core/docs/security-and-sandboxing >[2]https://askubuntu.com/questions/1263843/how-to-allow-snap-applications-to-access-tmp-folder Looks like I'd have to change the ccache location to the specific user's home directory unless I can then remount the remounted global /tmp into the Snap sandbox's /tmp. I'm not sure if that's possible... or wise. >> The kerberos is one, but the other one is the issue of snap packages not >> using the system certificate store, preventing secure use of organizational >> CAs. > >I wonder if that is part of what's going on here. For the Firefox Snap we use >the policy 'SecurityDevices' in order to point Firefox to >'/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so' which causes the Firefox >Snap to use the organizational CAs included in the system trust store. Based >on old code comments, this didn't appear to work in 20.04 (probably), but it >does work in 22.04 and 24.04. > >I'm not sure how the 'SecurityDevices' policy interacts with Kerberos. I'd >guess that the Firefox Snap and Kerberos libraries are separate in this >regard. Especially given that 'SecurityDevices' pointing to p11-kit is working >in 24.04 while Kerberos is not (at least for our set-up). I tried to test whether or not our organization's CAs were being used in the sandbox by running the 'klist' and 'kinit' tools in the Snap sandbox, but they are not available. I'm not sure how I can test this further. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1849346 Title: [snap] kerberos GSSAPI no longer works after deb->snap transition To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/1849346/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
