Kerberos as non-root

David E. Cross crossd at
Mon Sep 30 19:08:01 EDT 2002

I am considering making a very *very* simple change to the KDC/kadmind as
follows:  start as root, bind any resources (files, network ports, etc).

The motivation for this is as follows:

A compromise of the KDC, as root, gives the attackers the ability to cover
their footprints relatively easily (unless the KDC admin goes through the 
additional effort to setup remote logging, etc:  even then there is some 
information stored localy, like wtmp/utmp that is prone to tinkering)

Also by having the kdc/kadmin running as "not root" you can still have the 
important files only readable by root. An attacker then would not have 
easy access to the database. They would need to do all database accesses
through the compromised KDC, which isn't as easy as just downloading the
entire DB.

Comments, suggestions?

David Cross                               | email: crossd at 
Lab Director                              | Rm: 308 Lally Hall
Rensselaer Polytechnic Institute,         | Ph: 518.276.2860            
Department of Computer Science            | Fax: 518.276.4033
I speak only for myself.                  | WinNT:Linux::Linux:FreeBSD

More information about the krbdev mailing list