From owner-freebsd-questions@FreeBSD.ORG Fri Dec 24 14:26:48 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 711BA106566C for ; Fri, 24 Dec 2010 14:26:48 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) Received: from relay2.tomsk.ru (relay2.tomsk.ru [212.73.124.8]) by mx1.freebsd.org (Postfix) with ESMTP id BB69C8FC0A for ; Fri, 24 Dec 2010 14:26:47 +0000 (UTC) X-Virus-Scanned: by clamd daemon 0.93.1 for FreeBSD at relay2.tomsk.ru Received: from admin.sibptus.tomsk.ru (account sudakov@sibptus.tomsk.ru [212.73.125.240] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13) with ESMTPSA id 15207364 for freebsd-questions@freebsd.org; Fri, 24 Dec 2010 20:26:45 +0600 Received: from admin.sibptus.tomsk.ru (sudakov@localhost [127.0.0.1]) by admin.sibptus.tomsk.ru (8.14.3/8.14.3) with ESMTP id oBOEQi9x030428 for ; Fri, 24 Dec 2010 20:26:45 +0600 (OMST) (envelope-from vas@mpeks.tomsk.su) Received: (from sudakov@localhost) by admin.sibptus.tomsk.ru (8.14.3/8.14.3/Submit) id oBOEQior030427 for freebsd-questions@freebsd.org; Fri, 24 Dec 2010 20:26:44 +0600 (OMST) (envelope-from vas@mpeks.tomsk.su) X-Authentication-Warning: admin.sibptus.tomsk.ru: sudakov set sender to vas@mpeks.tomsk.su using -f Date: Fri, 24 Dec 2010 20:26:44 +0600 From: Victor Sudakov To: freebsd-questions@freebsd.org Message-ID: <20101224142644.GA30333@admin.sibptus.tomsk.ru> Mail-Followup-To: Victor Sudakov , freebsd-questions@freebsd.org References: <20101223201249.ea7648aa.freebsd@edvax.de> <20101223191443.GA24653@gizmo.acns.msu.edu> <20101224031352.GB16472@admin.sibptus.tomsk.ru> <20101224042542.3e21a6df.freebsd@edvax.de> <20101224035041.GF16472@admin.sibptus.tomsk.ru> <4D14233F.4070107@herveybayaustralia.com.au> <20101224080354.GA21712@admin.sibptus.tomsk.ru> <4D14555B.3000909@herveybayaustralia.com.au> <20101224093724.GC23384@admin.sibptus.tomsk.ru> <4D147821.3020706@herveybayaustralia.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4D147821.3020706@herveybayaustralia.com.au> User-Agent: Mutt/1.4.2.3i Organization: AO "Svyaztransneft", SibPTUS X-PGP-Key: http://www.livejournal.com/pubkey.bml?user=victor_sudakov X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 Subject: Re: rc.d and environment variables X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Dec 2010 14:26:48 -0000 Da Rock wrote: [dd] > >I really don't know what the security implications will be if > >/etc/krb5.keytab is readable by anyone besides the root user? Do you > >have a clue about it? There are other services' keys stored there > >besides svn (host/*, cvs/* etc). > > > > > At the risk of getting laughed off stage, and pulling in yet another > service, what about ldap? I believe there is supposed to be a way to > store keytabs in ldap, which theoretically would mean only the > particular services would be able to access their keytabs. No matter where we store the keytabs, if it is not the default location (/etc/krb5.keytab for FreeBSD), we face the same problem of telling the server application about the alternative location of the keytab. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@sibptus.tomsk.ru