Well, the third and only correct solution would be xrdp getting its own
mechanism for dropping prvileges, so it could read the key as root and
then drop to the xrdp user.

You have a point. Running daemon under user privilege is a good practice
if root privilege is actually unnecessary. xrdp should take care of being
run under user privilege.

For now, I think the local administrator should add xrdp to the ssl-cert
group if they want to use TLS. This is IMHO not a bug in the package,
because by default, xrdp also uses RDP security and adding daemon users
to ssl-cert is a common and well-known practice.

OK. If it's a common practice in Debian I agree that the local administrator should adjust the group. Anyway, xrdp should output user-friendly logs when
certificate/private key is not accessible. I'll make a fix for that in
upstream.

--
`whois vmeta.jp | nkf -w`
meta <[email protected]>

Reply via email to