shibd as non-root
Scott Cantor
cantor.2 at osu.edu
Fri May 22 18:08:25 UTC 2009
Russ Allbery wrote on 2009-05-22:
> Is there any way that we can check at startup time whether the _shibd
> user can read the private key? Some sort of shibd sanity check option
> would be great here. Then, we could modify the init script to change
> users iff the sanity check passed and document in NEWS.Debian that
> people should change the permissions on the private key so that _shibd
> can read it.
The problem is the configuration test process doesn't signal fatal errors
every time something's wrong, it relies on manual examination for spotting
problems. I'd have to think about it, but it's extremely non-trivial, there
are too many pluggable components to control that kind of thing from
outside.
But if you're talking about *installation* time changes here, the only
private key possible is the one it generates during installation, which has
a known location and name.
> We should probably put _shibd in the ssl-cert group so that this will
> just work for people who are using the standard Debian SSL key layout.
SSL credentials have no relationship to the ones used by the SP. I know Red
Hat has been pushing an /etc/pki tree, but if anything it would end up being
something like /etc/pki/<package> in that particular case.
-- Scott
More information about the Pkg-shibboleth-devel
mailing list