Next: , Previous: , Up: Configure the Software   [Contents][Index]


2.1.2 Least-Privilege support

Additionally, you may configure zebra to drop its elevated privileges shortly after startup and switch to another user. The configure script will automatically try to configure this support. There are three configure options to control the behaviour of Quagga daemons.

--enable-user=user

Switch to user ARG shortly after startup, and run as user ARG in normal operation.

--enable-group=group

Switch real and effective group to group shortly after startup.

--enable-vty-group=group

Create Unix Vty sockets (for use with vtysh) with group owndership set to group. This allows one to create a seperate group which is restricted to accessing only the Vty sockets, hence allowing one to delegate this group to individual users, or to run vtysh setgid to this group.

The default user and group which will be configured is ’quagga’ if no user or group is specified. Note that this user or group requires write access to the local state directory (see –localstatedir) and requires at least read access, and write access if you wish to allow daemons to write out their configuration, to the configuration directory (see –sysconfdir).

On systems which have the ’libcap’ capabilities manipulation library (currently only linux), the quagga system will retain only minimal capabilities required, further it will only raise these capabilities for brief periods. On systems without libcap, quagga will run as the user specified and only raise its uid back to uid 0 for brief periods.