Your message dated Mon, 16 Jul 2018 17:48:11 -0400 with message-id <[email protected]> and subject line krb5-kdc.service reduces privilege has caused the Debian Bug report #477309, regarding krb5-kdc: should be able to reduce privileges to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 477309: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=477309 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: krb5-kdc Version: 1.6.dfsg.3~beta1-4 Severity: wishlist krb5kdc should be able to reduce its own priviledges by using setuid/setgid to a different user after binding the ports. krb5kdc does not support to be reconfigured on runtime anyway, so it IMHO don't need root priviledges for working. kadmind needs to use the same user then and the db needs to be owned by this. Bastian -- Killing is wrong. -- Losira, "That Which Survives", stardate unknown
--- End Message ---
--- Begin Message ---source-version: 1.12.1+dfsg-11 Hi. You requested that krb5 support running as a non-root user. As discussed in the debian and upstream bug reports, that ended up being a low priority, but the rest of the world has caught up with us. The systemd unit for krb5-kdc drops all capabilities (including DAC_OVERRIDE) except for binding to reserved ports. It also marks much of the filesystem readonly. This isn't quite the same as running as non-root, but it provides a lot of the functionality, enough so that I'm going to claim we meet the spirit of this bug. Actually with systemd we could go the rest of the way and run as non-root. I don't anticipate writing that packaging patch myself, but I'd be happy to review one. We'd need to: * run kadmind and krb5-kdc as a non-root user in the systemd units * Give them the capability to bind reserved ports ev as non-root (not hard at all) * Handle upgrades and chowning the database/creating the non-root user. It's that last bullet point that exceeds my threshhold for work/value right now.
--- End Message ---
