Martin,
Thanks for the clarification!
-S
On Sat, Sep 30, 2023 at 18:08, Martin Bartosch via OpenXPKI-users
<[[email protected]](mailto:On Sat, Sep 30, 2023 at 18:08,
Martin Bartosch via OpenXPKI-users <<a href=)> wrote:
> Hi,
>
>> Has anyone successfully configured OpenXPKI to run as a non-root user? I'm
>> preparing an install for a hardened linux server. One of the requirements is
>> additional packages need to run as non-root.
>>
>> I've made some changes in the openxpkid.service file as well as the
>> system/server.yaml file and keep hitting permissions issues with the
>> openxpkid.pid or openxpkid.socket files. I've noticed that running as root
>> allows the pid and socket to change ownership when they're created but
>> trying to configure the permissions and directories still causes permission
>> issues whenever the openxpki is started.
>
> The OpenXPKI Daemon needs to be started as root because it needs to properly
> set the configured user and group ownership of the OpenXPKI Unix Domain
> Socket. Like any traditional, well-behaved Unix daemon OpenXPKI drops its
> privileges immediately after the setup and runs as the configured
> non-privileged runtime user.
> Proper design of permissions and ownership of this socket is absolutely
> required for a secure setup in which both the Apache frontend can communicate
> with OpenXPKI as well as OpenXPKI can properly communicate with crypto
> hardware. In particular with certain HSMs you will want to set up users,
> groups and permissions properly in order to secure the system.
>
> To summarize: Works as designed. Starting the daemon as non-root does not
> improve security, instead the system would be less secure if it were not
> started as root, because in that case one single user must be used for all
> system components.
>
> Cheers,
>
> Martin
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
