Privilege separation

Unless explicitly started to not do so, Kore will force each of its processes to run under different users and chroots.

There are 3 process types that can be configured for privsep:

  • worker
  • keymgr
  • acme

An example on configuring the worker processes to run as user kore, with a chroot under /var/chroot/kore.

privsep worker {
    # The user the workers will run as.
    runas        kore

    # The root directory for the worker processes, if chroot isn't
    # skipped, this is the directory it will chroot into.
    # If not set, Kore will take the current working directory.
    root        /var/chroot/kore

    # We could configure this process to not chroot and only
    # chdir into its root directory.
    #skip        chroot


Important If you are running Kore chrooted and privilege separated (which you should be doing production), Kore will require /dev/urandom to be created under the chroot environment for both the keymgr and worker processes.

Failing to do so will prevent your application from working.

results matching ""

    No results matching ""