Can someone recommend a method for providing an unpriviledged child
process with a gss_cred_id_t derived from a keytab but without exposing
the key to the child?

Specifically, I have a service that starts out as root and forks a
child. The child then changes it's uid/gid to an unpriviledged user,
does gss_init_sec_context, and then performs user defined work until
the service is stopped (meaning it could be running indefinitely).

As it is, if I simply putenv("KRB5_KTNAME=/var/lib/test/test.keytab")
the keytab file must be readable by the unpriviledged user. I don't
think I care if they have a ticket but with the raw key they could
decrypt network traffic and do generally evil things.

Any ideas?

Kerberos mailing list