[SCM] Debian packaging for the 2.0 Apache Shibboleth SP branch, debian, updated. upstream/2.2.1+dfsg-140-g1524052

Russ Allbery rra at debian.org
Wed Nov 11 00:48:58 UTC 2009

The following commit has been merged in the debian branch:
commit 1524052d5e6b67f6a740008a2beef890fde9db1d
Author: Russ Allbery <rra at debian.org>
Date:   Tue Nov 10 16:48:14 2009 -0800

    Add a NEWS.Debian entry for the shibd run-time user change

diff --git a/debian/libapache2-mod-shib2.NEWS b/debian/libapache2-mod-shib2.NEWS
index 7a44615..0c332e7 100644
--- a/debian/libapache2-mod-shib2.NEWS
+++ b/debian/libapache2-mod-shib2.NEWS
@@ -1,3 +1,25 @@
+shibboleth-sp2 (2.3+dfsg-1) unstable; urgency=low
+  As of this release, running shibd as a non-root user is supported and
+  recommended to limit the impact of any potential security issues.  The
+  package will create a dedicated _shibd user on installation for that
+  purpose.
+  In order for shibd to run as user _shibd instead of as root, user _shibd
+  must have read access to the private key of the server.  The easiest way
+  is to make the private key, normally /etc/shibboleth/sp-key.pem, owned
+  by root and readable by group _shibd:
+      chown root:_shibd /etc/shibboleth/sp-key.pem
+      chmod 640 /etc/shibboleth/sp-key.pem
+  The init script attempts to detect, when starting up shibd, whether it
+  can read the private key specified in the configuration and, if not,
+  falls back on running shibd as root, as was done in previous versions of
+  this package.
+ -- Russ Allbery <rra at debian.org>  Tue, 10 Nov 2009 16:48:03 -0800
 shibboleth-sp2 (2.2.1+dfsg-2) unstable; urgency=low
   There are several changes to the configuration syntax and defaults in

Debian packaging for the 2.0 Apache Shibboleth SP

More information about the Pkg-shibboleth-devel mailing list