shibd as non-root
rra at debian.org
Mon Dec 1 19:53:51 UTC 2008
Kristof BAJNOK <bajnokk at niif.hu> writes:
> I was tweaking with changing the SP to run shibd as a system user. It
> seems that it's quite obvious thing to do. Changing permissions for
> /var/log/shibboleth, /var/run/shibboleth and the PKI keys and minor
> editing in the init script was enough to let it go. And it seems to be
> working fine.
> That could be easily done by the package, so we could get rid of running it
> as root. (Which could be a slight security improvement.)
It's been on my to-do list for a while, so I'm certainly in favor.
Patches very much welcome, even partial ones.
Following the recent debian-devel discussion, I think we should use _shibd
as the username to run the daemon as; the consensus seems to be trending
towards using leading underscores for system users automatically created
by packages to reduce conflicts with possible regular user accounts.
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the Pkg-shibboleth-devel