Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
Subject: krb5kdc and kadmind could drop privileges after binding
X-RT-Original-Encoding: iso-8859-1
Content-Length: 703

A Debian user requested that krb5kdc and kadmind support dropping
privileges after binding to network ports and run as a non-root user
with access to the KDC database.  This isn't particularly compelling for
sites where the KDC holds the keys to everything anyway, but if one is
using a KDC for a guest realm, for a specific purpose, or in some other
more limited situation, this provides some additional security
protection.  It also provides some protection against unsophisticated
attackers who know how to use a root exploit but who don't have the
resources or knowledge to make use of access to the KDC database.

See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=477309 for the
original report.