[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Running kdc as unprivileged user

To: heimdal-discuss@sics.se
Subject: Re: Running kdc as unprivileged user
From: Jacob Yocom-Piatt <dick@uchicago.edu>
Date: Tue, 7 Nov 2006 15:10:05 -0600 (CST)
Reply-To: dick@uchicago.edu
Sender: owner-heimdal-discuss@sics.se

---- Original message ----
>Date: Tue, 07 Nov 2006 12:05:51 -0800
>From: Howard Chu <hyc@highlandsun.com>  
>Subject: Re: Running kdc as unprivileged user  
>To: Yury Arkady Sobolev <yury@OCF.Berkeley.EDU>
>Cc: heimdal-discuss@sics.se
>
>Yury Arkady Sobolev wrote:
>> Can the Kerberos daemons (kdc, kadmin) be run as an unprivileged user? I
>> do not see why not, but I have not found anyone doing this.
>>
>> -Yury
>>
>>   
>The KDC must be privileged to listen on port 88. If you use some other 
>port number, perhaps you can avoid that requirement.
>

the port being privileged is not too big a problem, but you would likely have to
code the privilege dropping behavior. an example that immediately comes to mind
is chroot-ed apache.

are there any good arguments against chroot-ing heimdal? it does not run
chroot-ed by default on openbsd.

cheers,
jake

>-- 
>  -- Howard Chu
>  Chief Architect, Symas Corp.  http://www.symas.com
>  Director, Highland Sun        http://highlandsun.com/hyc
>  OpenLDAP Core Team            http://www.openldap.org/project/
>

Follow-Ups:
- Re: Running kdc as unprivileged user
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: Running kdc as unprivileged user
Next by Date: Re: Running kdc as unprivileged user
Prev by thread: Re: Running kdc as unprivileged user
Next by thread: Re: Running kdc as unprivileged user
Index(es):
- Date
- Thread