Hi,
> Has anyone successfully configured OpenXPKI to run as a non-root user? I'm
> preparing an install for a hardened linux server. One of the requirements is
> additional packages need to run as non-root.
>
> I've made some changes in the openxpkid.service file as well as the
> system/server.yaml file and keep hitting permissions issues with the
> openxpkid.pid or openxpkid.socket files. I've noticed that running as root
> allows the pid and socket to change ownership when they're created but trying
> to configure the permissions and directories still causes permission issues
> whenever the openxpki is started.
The OpenXPKI Daemon needs to be started as root because it needs to properly
set the configured user and group ownership of the OpenXPKI Unix Domain Socket.
Like any traditional, well-behaved Unix daemon OpenXPKI drops its privileges
immediately after the setup and runs as the configured non-privileged runtime
user.
Proper design of permissions and ownership of this socket is absolutely
required for a secure setup in which both the Apache frontend can communicate
with OpenXPKI as well as OpenXPKI can properly communicate with crypto
hardware. In particular with certain HSMs you will want to set up users, groups
and permissions properly in order to secure the system.
To summarize: Works as designed. Starting the daemon as non-root does not
improve security, instead the system would be less secure if it were not
started as root, because in that case one single user must be used for all
system components.
Cheers,
Martin ___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
