Bastian Blank <[EMAIL PROTECTED]> writes: > krb5kdc should be able to reduce its own priviledges by using > setuid/setgid to a different user after binding the ports. krb5kdc does > not support to be reconfigured on runtime anyway, so it IMHO don't need > root priviledges for working. > > kadmind needs to use the same user then and the db needs to be owned by > this.
I'll file this upstream, but I expect that from an upstream perspective it will be a low priority. For most sites, the Kerberos database itself is more valuable than root on a given system and any compromise of the KDC or kadmind would provide ways to gain root not only on the KDC but on many other systems. So in many cases this doesn't provide a lot of additional security at a theoretical level. This is not to say that it's a bad idea. It's an entirely reasonable idea and would provide a lot of protection against unsophisticated attackers who are just after root on a system and don't have the resources or knowledge to make use of access to the KDC database. I just wanted to let you know why I don't anticipate very quick action on this. I expect that upstream would welcome a patch, though, if you (or anyone else) has time to develop one. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
