Running Kerberos as a different user than root
Russ Allbery
rra at stanford.edu
Wed Mar 2 16:41:50 EST 2011
Dave <steiner.dave at gmail.com> writes:
> We've been running Kerberos for a number of years. We've always run all
> the processes (including kprop, kadmin, etc) as root. A new group has
> taken over running these machines and don't want to give the Kerberos
> support people root access. I've looked around but I can't find out if
> Kerberos can run as a non-root user.
No reason that I can see provided that you find a way for the KDC to bind
to port 88 before dropping privileges. But I don't think the code has any
built-in way of doing that other than starting the KDC as root.
Note, of course, that if you generally use Kerberos for authentication for
your systems, your operations group is being ridiculous here. Any
Kerberos KDC administrator could just change the password of one of the
operations people and then gain root that way.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list