Hi, > Has anyone successfully configured OpenXPKI to run as a non-root user? I'm > preparing an install for a hardened linux server. One of the requirements is > additional packages need to run as non-root. > > I've made some changes in the openxpkid.service file as well as the > system/server.yaml file and keep hitting permissions issues with the > openxpkid.pid or openxpkid.socket files. I've noticed that running as root > allows the pid and socket to change ownership when they're created but trying > to configure the permissions and directories still causes permission issues > whenever the openxpki is started.
The OpenXPKI Daemon needs to be started as root because it needs to properly set the configured user and group ownership of the OpenXPKI Unix Domain Socket. Like any traditional, well-behaved Unix daemon OpenXPKI drops its privileges immediately after the setup and runs as the configured non-privileged runtime user. Proper design of permissions and ownership of this socket is absolutely required for a secure setup in which both the Apache frontend can communicate with OpenXPKI as well as OpenXPKI can properly communicate with crypto hardware. In particular with certain HSMs you will want to set up users, groups and permissions properly in order to secure the system. To summarize: Works as designed. Starting the daemon as non-root does not improve security, instead the system would be less secure if it were not started as root, because in that case one single user must be used for all system components. Cheers, Martin
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
