[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Running kdc as unprivileged user

---- Original message ----
>Date: Tue, 07 Nov 2006 12:05:51 -0800
>From: Howard Chu <hyc@highlandsun.com>  
>Subject: Re: Running kdc as unprivileged user  
>To: Yury Arkady Sobolev <yury@OCF.Berkeley.EDU>
>Cc: heimdal-discuss@sics.se
>Yury Arkady Sobolev wrote:
>> Can the Kerberos daemons (kdc, kadmin) be run as an unprivileged user? I
>> do not see why not, but I have not found anyone doing this.
>> -Yury
>The KDC must be privileged to listen on port 88. If you use some other 
>port number, perhaps you can avoid that requirement.

the port being privileged is not too big a problem, but you would likely have to
code the privilege dropping behavior. an example that immediately comes to mind
is chroot-ed apache.

are there any good arguments against chroot-ing heimdal? it does not run
chroot-ed by default on openbsd.


>  -- Howard Chu
>  Chief Architect, Symas Corp.  http://www.symas.com
>  Director, Highland Sun        http://highlandsun.com/hyc
>  OpenLDAP Core Team            http://www.openldap.org/project/