#5337 [RFE] Reduce number of components of IPA that run as root
Closed: wontfix 5 years ago by rcritten. Opened 8 years ago by dpal.

Right now KDC and ipa-otp run as root. Other parts of IPA might too, this needs to be confirmed/investigated. It would be great is we can switch processes to running as not root. That would help pass audit checks in the environments with the tightened security policies.


Some notes:

  • ab: note that Samba always needs root because it needs to transition between root and specific user identity. Changing it to something else ('samba' or 'nobody') does not give anything because the capability to change identity on the fly gives you root privileges back.
  • ab: KDC runs under root as well, to allow ldapi to DM mapping but this could be changed by providing specific user to DM mapping over ldapi
    • this can be solved easily
  • ab: for the rest we now have privilege separation (SSSD and oddjobd-based tools)

Metadata Update from @dpal:
- Issue assigned to someone
- Issue set to the milestone: Future Releases

7 years ago

Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.

Metadata Update from @rcritten:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata