shibd as non-root
Ferenc Wagner
wferi at niif.hu
Fri Jun 5 16:23:39 UTC 2009
"Scott Cantor" <cantor.2 at osu.edu> writes:
> Russ Allbery wrote on 2009-05-22:
>
>> Is there any way that we can check at startup time whether the _shibd
>> user can read the private key? Some sort of shibd sanity check option
>> would be great here. Then, we could modify the init script to change
>> users iff the sanity check passed and document in NEWS.Debian that
>> people should change the permissions on the private key so that _shibd
>> can read it.
>
> The problem is the configuration test process doesn't signal fatal errors
> every time something's wrong, it relies on manual examination for spotting
> problems. I'd have to think about it, but it's extremely non-trivial, there
> are too many pluggable components to control that kind of thing from
> outside.
Yes, the error is shown like this by shibd -t:
2009-06-05 18:14:28 ERROR XMLTooling.CredentialResolver.File : key file (/etc/shibboleth/unreadable.key) can't be read to determine encoding format
2009-06-05 18:14:28 CRIT Shibboleth.Application : error building CredentialResolver: FilesystemCredentialResolver can't read key file (/etc/shibboleth/unreadable.key) to determine encoding format
overall configuration is loadable, check console for non-fatal problems
but the exit status is 0, and the daemon starts running in spite of
this error if -t is not specified. Perhaps we could grep for these
messages. Sure it's fragile, but it doesn't have to survive long, we
could drop it after the release of Squeeze.
--
Regards,
Feri.
More information about the Pkg-shibboleth-devel
mailing list