[Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf
Robbie Harwood
rharwood at redhat.com
Tue May 31 17:19:55 UTC 2016
Alexander Bokovoy <abokovoy at redhat.com> writes:
> On Sat, 28 May 2016, Robbie Harwood wrote:
>> Alexander Bokovoy <abokovoy at redhat.com> writes:
>>> On Fri, 27 May 2016, Robbie Harwood wrote:
>>>> Stanislav Laznicka <slaznick at redhat.com> writes:
>>>>> From: Stanislav Laznicka <slaznick at redhat.com>
>>>>>
>>>>> The include of /etc/krb5.conf.d/ is required for crypto-policies
>>>>> to work properly
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/5912
>>>>
>>>> Thank you for working on this. Is the intent on the part of
>>>> FreeIPA to keep a separate, freeipa-speicifc directory? And if so,
>>>> can I suggest that we not do that?
>>>
>>> SSSD cannot write to /etc and I don't think we have to change it.
>>
>> Can you elaborate on this? Why can't sssd write the stuff it puts in
>> /var/lib into /etc, or symlink it?
>
> Writing to /etc is considered a privilege of a system administrator. A
> runtime override is typically done outside it, in /run like systemd
> allows for its configuration for volatile setups and in /var/lib
> for non-volatile ones. The latter has long been a state of affairs in
> Linux.
>
> Currently SSSD runs under root but it is already made possible to run as
> non-root user and we intend to switch to that mode in future releases.
I guess I don't see a meaningful difference here. We're still writing
to /etc when we modify krb5.conf.
My reading of the FHS is that this is not an intended use of /var/lib:
/var/lib is for state information [0], and the only time the FHS
mentions config files is to point out that they go in the /etc tree.
Anyway, I've said my piece and won't derail this further. If you want
to merge, this is a cosmetic issue and I can live with it.
[0]: http://www.pathname.com/fhs/pub/fhs-2.3.html#VARLIBVARIABLESTATEINFORMATION
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160531/7e1e63ac/attachment.sig>
More information about the Freeipa-devel
mailing list