Privilege separation
Unless explicitly started to not do so, Kore will force each of its processes to run under different users and chroots.
There are 3 process types that can be configured for privsep:
- worker
- keymgr
- acme
An example on configuring the worker processes to run as user kore, with a chroot under /var/chroot/kore.
privsep worker {
# The user the workers will run as.
runas kore
# The root directory for the worker processes, if chroot isn't
# skipped, this is the directory it will chroot into.
#
# If not set, Kore will take the current working directory.
root /var/chroot/kore
# We could configure this process to not chroot and only
# chdir into its root directory.
#skip chroot
}
Random
Important If you are running Kore chrooted and privilege separated (which you should be doing production), Kore will require /dev/urandom to be created under the chroot environment for both the keymgr and worker processes.
Failing to do so will prevent your application from working.