Bug#846377: [systemd] /lib/systemd/systemd --user starts dbus-daemon without AFS token
Benjamin Kaduk
kaduk at mit.edu
Wed Nov 30 23:48:29 GMT 2016
On Wed, Nov 30, 2016 at 07:31:24PM -0300, Felipe Sateler wrote:
>
> `systemctl --user import-environment KRB5CCNAME` might be more
> appropriate if this variable should be copied from an already existing
> environment.
But when would this run, and what package would be responsible for causing
it to be run? (I would prefer to not require that the user is responsible
for causing it to be run.)
Michael Biebl <biebl at debian.org> writes:
> This was mentiond on IRC:
>
> > <grawity> afaik, AFS tokens are stored as special keys in the
> > keyring, nowadays... so it might work if afs was patched to look in
> > the 'user' keyring, or if regular logins somehow joined systemd's
> > session keyring instead of creating a new one
> > <grawity> (CIFS has the same problem)
The AFS tokens are scoped to a specific PAG (Process Authentication Group),
which can provide cross-process isolation. Processes can request to be
put in a new PAG explicitly if they desire separation, and PAGS are
identified by the afs_pag key type in the session keyring. We generally
don't want to use the user keyring since that could lead to neutering of
the cross-process isolation that the PAGs are expected to provide.
-Ben
P.S. Looking more closely at the linked google doc, it was more likely
to be Jonathan Billings than Dave Botsch who wrote it.
More information about the Pkg-systemd-maintainers
mailing list