shibd as non-root

Russ Allbery rra at
Mon Dec 1 19:53:51 UTC 2008

Kristof BAJNOK <bajnokk at> writes:

> I was tweaking with changing the SP to run shibd as a system user. It
> seems that it's quite obvious thing to do. Changing permissions for
> /var/log/shibboleth, /var/run/shibboleth and the PKI keys and minor
> editing in the init script was enough to let it go. And it seems to be
> working fine.
> That could be easily done by the package, so we could get rid of running it 
> as root. (Which could be a slight security improvement.)

It's been on my to-do list for a while, so I'm certainly in favor.
Patches very much welcome, even partial ones.

Following the recent debian-devel discussion, I think we should use _shibd
as the username to run the daemon as; the consensus seems to be trending
towards using leading underscores for system users automatically created
by packages to reduce conflicts with possible regular user accounts.

Russ Allbery (rra at               <>

More information about the Pkg-shibboleth-devel mailing list