On Fri, Sep 24, 2010 at 09:44:21AM +0100, Chris Ridd wrote: > We've got some long-lived server processes (ldap, smtp, imap, xmpp) > that support clients authenticating using SASL and GSS-API. AIUI, the > servers call (through a maze of twisty libraries and plugins and > callbacks) gss_acquire_cred() on demand when they start to talk to a > client, and that call tends to involve opening /etc/krb5/krb5.keytab > to retrieve some secret info for the process/host. > > That works OK as long as the server stays running as root, because the > keytab file is only readable by root:root. > > But we don't *want* to stay running as root. Normally what we try to > do is drop to a less privileged uid after listening on privileged > ports etc, but that will simply cause the next call to > gss_acquire_cred() to fail with permissions problems.
Why do you need to keep calling gss_acquire_cred()? Have you tried re-using that one credential handle acquired before dropping privileges? Nico -- _______________________________________________ security-discuss mailing list [email protected]
