shibd as non-root

Ferenc Wagner wferi at niif.hu
Fri May 22 13:13:26 UTC 2009


Russ Allbery <rra at debian.org> writes:

> Ferenc Wagner <wferi at niif.hu> writes:
>
>> How should we best handle this?  By patching configs/shibd-debian.in in
>> the source tree to mkdir -p @-PKGRUNDIR-@ before starting the daemon?
>
> I think this is the right approach.

We probably have a good chance to upstream such init script changes
before the 2.2 release if we send in a concrete proposal now.  Aims:
 * run shibd as non-root,
 * allow for /var/run on tmpfs.
The second almost comes with the first, so let's deal with them
together.

Creating a _shibd system user from postinst, changing ownership of
/var/{run,log}/shibboleth and adding --chuid to the init script is
straightfoward.  The problematic part is the private key, which shibd
must be able to read, but whose path is a configuration option, which
is presumably changed more often than the logging directory.  Even if
we parse it out of shibboleth2.xml, it may be unwise to change its
permissions behind the admin's back.

So how could we best avoid breaking systems on upgrade?
-- 
Cheers,
Feri.



More information about the Pkg-shibboleth-devel mailing list