[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Running kdc as unprivileged user
On Thu, Nov 16, 2006 at 09:57:27PM +0100, Måns Nilsson wrote:
>
>
> --On måndag, måndag 6 nov 2006 23.36.56 -0800 Yury Arkady Sobolev
> <yury@OCF.Berkeley.EDU> wrote:
>
> > Can the Kerberos daemons (kdc, kadmin) be run as an unprivileged user? I
> > do not see why not, but I have not found anyone doing this.
>
> I see two ways to get around the port binding issue without coding:
>
> * Use an operating system with enhanced privilege granularity, like Solaris
> 10, and give appropriate permissions to the user, like "net_privaddr" in
> the S10 example.
>
> * Tell the kdc to listen on an unprivileged port, and point your clients to
> it with proper SRV records:
>
> _kerberos._udp.namn.se 3600 SRV 10 10 4711 unprivkdc.namn.se.
>
> Both methods have issues; do you want the kdc on Sol10, and can your
> clients find the kdc through DNS?
What is the problem with the first method? As a matter of fact, this is
exactly what I am doing. I used RBAC to allow a heimdal user access to
the privileged ports. It seems to be working fine.
-Yury
> Having written so much, I do not find running the kdc as root is a very big
> issue. The kdc must be secure beyond comprehension anyways...
>
> --
> Måns Nilsson Systems Specialist
> +46 70 681 7204 cell KTHNOC
> +46 8 790 6518 office MN1334-RIPE
>
> Half a mind is a terrible thing to waste!