shibd as non-root

Ferenc Wagner wferi at
Fri Jun 5 16:23:39 UTC 2009

"Scott Cantor" <cantor.2 at> writes:

> Russ Allbery wrote on 2009-05-22:
>> Is there any way that we can check at startup time whether the _shibd
>> user can read the private key?  Some sort of shibd sanity check option
>> would be great here.  Then, we could modify the init script to change
>> users iff the sanity check passed and document in NEWS.Debian that
>> people should change the permissions on the private key so that _shibd
>> can read it.
> The problem is the configuration test process doesn't signal fatal errors
> every time something's wrong, it relies on manual examination for spotting
> problems. I'd have to think about it, but it's extremely non-trivial, there
> are too many pluggable components to control that kind of thing from
> outside.

Yes, the error is shown like this by shibd -t:

2009-06-05 18:14:28 ERROR XMLTooling.CredentialResolver.File : key file (/etc/shibboleth/unreadable.key) can't be read to determine encoding format
2009-06-05 18:14:28 CRIT Shibboleth.Application : error building CredentialResolver: FilesystemCredentialResolver can't read key file (/etc/shibboleth/unreadable.key) to determine encoding format
overall configuration is loadable, check console for non-fatal problems

but the exit status is 0, and the daemon starts running in spite of
this error if -t is not specified.  Perhaps we could grep for these
messages.  Sure it's fragile, but it doesn't have to survive long, we
could drop it after the release of Squeeze.

More information about the Pkg-shibboleth-devel mailing list