Skip Menu |
 

Subject: kadmin and ktutil installed in sbin, should be bin
Download (untitled) / with headers
text/plain 1.1KiB
This is Debian bug http://bugs.debian.org/477296

kadmin and ktutil are installed into ADMIN_BINDIR, which generally means
sbin. However, sbin is normally intended for binaries that only make
sense to be run by the local system administrator as root. The separate
directory is used mainly to avoid putting those binaries on the user's
path when they can't do anything useful with them. See, for instance:

http://www.pathname.com/fhs/pub/fhs-2.3.html#SBINSYSTEMBINARIES

Neither kadmin nor ktutil require root privileges on the local system.
kadmin may require administrative access to a Kerberos realm, but that's
not the same case as the /sbin vs. /bin distinction; the user on the
local system running kadmin is generally a normal user. Plus, both
binaries are used for manipulating non-system files; kadmin ktremove
requires no special access to any network service and is a reasonable
thing for an application administrator to do from a non-privileged account.

I'd like to move them to /usr/bin in the Debian package, but I don't
really want to diverge from the MIT distribution. I think both should
be moved to the regular /bin directory by the MIT install process as well.
We discussed this at a meeting and we basically agree. kadmin in
particular is normally run by non-root users and belongs in bin. ktutil
is a little less clear because the usual use case is to operate on host
keytabs which are only readable by root--but there are other fairly
common use cases, so it probably belongs in bin.

Do you want to commit the change for this to our repository?
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6348] kadmin and ktutil installed in sbin, should be bin
From: Russ Allbery <rra@stanford.edu>
Date: Tue, 10 Feb 2009 11:01:18 -0800
RT-Send-Cc:
"Greg Hudson via RT" <rt-comment@krbdev.mit.edu> writes:

Show quoted text
> We discussed this at a meeting and we basically agree. kadmin in
> particular is normally run by non-root users and belongs in bin. ktutil
> is a little less clear because the usual use case is to operate on host
> keytabs which are only readable by root--but there are other fairly
> common use cases, so it probably belongs in bin.
>
> Do you want to commit the change for this to our repository?

Sure, I can do that. I'll try to do that later tonight.

--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
From: Russ Allbery <rra@stanford.edu>
Subject: SVN Commit

Install ktutil and kadmin into CLIENT_BINDIR instead of ADMIN_BINDIR
since both are useful for users other than the system administrator.


https://github.com/krb5/krb5/commit/1cd40edc5955072937c71cd332b36f9026b4a05f
Commit By: rra
Revision: 21966
Changed Files:
U trunk/src/kadmin/cli/Makefile.in
U trunk/src/kadmin/ktutil/Makefile.in
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6348] kadmin and ktutil installed in sbin, should be bin
From: Russ Allbery <rra@stanford.edu>
Date: Tue, 10 Feb 2009 21:01:50 -0800
RT-Send-Cc:
"Greg Hudson via RT" <rt-comment@krbdev.mit.edu> writes:

Show quoted text
> We discussed this at a meeting and we basically agree. kadmin in
> particular is normally run by non-root users and belongs in bin. ktutil
> is a little less clear because the usual use case is to operate on host
> keytabs which are only readable by root--but there are other fairly
> common use cases, so it probably belongs in bin.
>
> Do you want to commit the change for this to our repository?

I've committed this now. I left the man pages in the man8 directory,
however, both because there are existing cross-references and because
there isn't always a one-to-one mapping between path and man1 vs. man8.
Let me know if you'd like me to move the man pages to section one as well,
though.

I also left k5srvutil where it is, although I wasn't sure that was the
right decision.

--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
To: rt@krbdev.MIT.EDU
Subject: Re: [krbdev.mit.edu #6348] kadmin and ktutil installed in sbin, should be bin
From: Tom Yu <tlyu@MIT.EDU>
Date: Fri, 20 Feb 2009 12:31:01 -0500
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.1KiB
"Russ Allbery via RT" <rt-comment@krbdev.mit.edu> writes:

Show quoted text
> "Greg Hudson via RT" <rt-comment@krbdev.mit.edu> writes:
>
>> We discussed this at a meeting and we basically agree. kadmin in
>> particular is normally run by non-root users and belongs in bin. ktutil
>> is a little less clear because the usual use case is to operate on host
>> keytabs which are only readable by root--but there are other fairly
>> common use cases, so it probably belongs in bin.
>>
>> Do you want to commit the change for this to our repository?
>
> I've committed this now. I left the man pages in the man8 directory,
> however, both because there are existing cross-references and because
> there isn't always a one-to-one mapping between path and man1 vs. man8.
> Let me know if you'd like me to move the man pages to section one as well,
> though.
>
> I also left k5srvutil where it is, although I wasn't sure that was the
> right decision.

After thinking about it somewhat, I forsee a use case where a Kerberos
administrator wishes to run k5srvutil (as a non-superuser) to generate
a keytab for a customer to install.

I think we should also put k5srvutil in the PREFIX/bin for this
reason.
From: Russ Allbery <rra@stanford.edu>
Subject: SVN Commit

Also install k5srvutil into PREFIX/bin instead of PREFIX/sbin.


https://github.com/krb5/krb5/commit/ab0b088275d8bb3e3ece766036962d0d97c417b4
Commit By: rra
Revision: 22042
Changed Files:
U trunk/src/kadmin/cli/Makefile.in
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6348] kadmin and ktutil installed in sbin, should be bin
From: Russ Allbery <rra@stanford.edu>
Date: Fri, 20 Feb 2009 10:48:34 -0800
RT-Send-Cc:
"Tom Yu via RT" <rt-comment@krbdev.mit.edu> writes:

Show quoted text
> After thinking about it somewhat, I forsee a use case where a Kerberos
> administrator wishes to run k5srvutil (as a non-superuser) to generate a
> keytab for a customer to install.
>
> I think we should also put k5srvutil in the PREFIX/bin for this reason.

Committed.

--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
From: tlyu@mit.edu
Subject: SVN Commit

pull up r21966, r22042 from trunk

------------------------------------------------------------------------
r22042 | rra | 2009-02-20 13:48:26 -0500 (Fri, 20 Feb 2009) | 5 lines
Changed paths:
M /trunk/src/kadmin/cli/Makefile.in

Ticket: 6348
Tags: pullup

Also install k5srvutil into PREFIX/bin instead of PREFIX/sbin.

------------------------------------------------------------------------
r21966 | rra | 2009-02-11 00:00:24 -0500 (Wed, 11 Feb 2009) | 6 lines
Changed paths:
M /trunk/src/kadmin/cli/Makefile.in
M /trunk/src/kadmin/ktutil/Makefile.in

Ticket: 6348
Tags: pullup

Install ktutil and kadmin into CLIENT_BINDIR instead of ADMIN_BINDIR
since both are useful for users other than the system administrator.

------------------------------------------------------------------------

https://github.com/krb5/krb5/commit/a28632383c9182ecad2e1a9f70b218057a667833
Commit By: tlyu
Revision: 22206
Changed Files:
U branches/krb5-1-7/src/kadmin/cli/Makefile.in
U branches/krb5-1-7/src/kadmin/ktutil/Makefile.in