"brian m. carlson" <sand...@crustytoothpaste.net> writes: > I am trying to use mpm_itk along with mod_auth_kerb to force > authentication before running a CGI script as a user (in this case, the > git smart HTTP server). However, mod_auth_kerb reads the keytab after > it has dropped privileges, resulting in the problem that the user to > which privileges have been dropped cannot read the keytab file. This > is, of course, by design—ordinary users should not have access to the > Apache keytab.
> Would it be possible to read the keytab on startup before dropping > privileges so that this use case (and suexec, and so on) works? Unfortunately, I believe that this would break KrbServiceName Any, which at least for me is vital functionality. You would need to explicitly import one particular set of credentials from the keytab, and you wouldn't know which ones to import. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
