Hi,
On Tue, Jul 9, 2024 at 11:55 AM Russ Allbery <r...@debian.org> wrote:
>
> Andreas Hasenack <andr...@canonical.com> writes:
>
> > I opened #1074775[1] to backport the heimdal patches that add include
(...)
> The change is not entirely trivial, however. Here are some things that
> come to mind that we probably need a plan for how to handle:
>
> 1. For already-configured systems, should we add the include directive to
> the existing krb5.conf file? Presumably the answer is yes, or the
Presumably yes, but we have to indeed think about it. Normal dpkg conf
prompts will apply here, unless we do something (smart?) in postinst.
update: just saw the krb5-config postinst, it indeed tries to handle
many cases, and this would be another one.
> migration is going to be rather difficult. Is there a correct place in
> the krb5.conf file to add the include so that we get the correct
> semantics for whether fragments override the main file or vice versa?
The included file needs to have the section specified, and the
includedir directive lives at the top without a section of its own,
that's how I have seen it being used so far (in MIT kerberos).
> Are we going to break anyone's system by suddenly including the
> fragments? We'll at least need a NEWS.Debian entry; maybe we also need
> a debconf warning in some situations?
There are two breakage possibliities here:
a) It's quite possible some users already have a
/etc/krb5.conf.d/foo.conf file that has been ignored so far, and will
now be included. That could lead to unexpected behavior, yes.
b) if old heimdal is installed, and confronted with a krb5.conf that
has a includedir line outside of a section (like, first line), it will
fail to parse the file and break ("binding before section" error).
That's what I've seen in my testing. I haven't tried inclusions from
other parts of krb5.conf.
> 2. With the current logic, it's not possible to guarantee that the include
> directive has been added, since krb5-config by design doesn't touch a
> krb5.conf file that's a symlink. That means it's possible to have the
> latest version of everything installed and still not respect the
> configuration fragments. Do we just live with this? I'm nervous about
We could grep for include/includedir in krb5.conf, be it a symlink or
not? What is the scenario where /etc/krb5.conf is a symlink, are some
sites doing that?
> moving critical configuration into a fragment when we can't guarantee
> that the fragment is loaded. In the libpam-krb5 case, this can lead to
> a security vulnerability.
I see, so for example you will want to create a configuration snippet
to address #756880, but aren't sure if that file will even be included
because krb5.conf might not have the includedir directive.
Note we can now also include specific files, without it having to be a
whole directory, if this helps.
>
> 3. How do dependencies work? This change to krb5-config will require a
> particular version of Heimdal, since earlier versions don't support
> include (and will this break Kerberos entirely if the include is
> present?). But krb5-config can't depend on any specific Kerberos
> implementation, so I don't know how to represent this as a dependency.
I was thinking about a breaks, as in, new krb5-config would break old heimdal.
> And what dependency should a package that wants to use included
> fragments have to ensure that those included fragments are loaded?
Some virtual provides perhaps? Too much?
