[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Running kdc as unprivileged user
---- Original message ----
>Date: Tue, 07 Nov 2006 12:05:51 -0800
>From: Howard Chu <firstname.lastname@example.org>
>Subject: Re: Running kdc as unprivileged user
>To: Yury Arkady Sobolev <yury@OCF.Berkeley.EDU>
>Yury Arkady Sobolev wrote:
>> Can the Kerberos daemons (kdc, kadmin) be run as an unprivileged user? I
>> do not see why not, but I have not found anyone doing this.
>The KDC must be privileged to listen on port 88. If you use some other
>port number, perhaps you can avoid that requirement.
the port being privileged is not too big a problem, but you would likely have to
code the privilege dropping behavior. an example that immediately comes to mind
is chroot-ed apache.
are there any good arguments against chroot-ing heimdal? it does not run
chroot-ed by default on openbsd.
> -- Howard Chu
> Chief Architect, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc
> OpenLDAP Core Team http://www.openldap.org/project/