From: Razvan Becheriu Date: Tue, 10 Jun 2025 17:14:17 +0000 (+0300) Subject: [#3541] addressed review comments X-Git-Tag: Kea-3.0.0~122 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e119fc96932df4bb1cf72df150c6ebba4e410732;p=thirdparty%2Fkea.git [#3541] addressed review comments --- diff --git a/doc/examples/agent/comments.json b/doc/examples/agent/comments.json index b1c7078e5e..97c8a7f3dd 100644 --- a/doc/examples/agent/comments.json +++ b/doc/examples/agent/comments.json @@ -16,9 +16,7 @@ // listener is different (e.g. 8001) than the one used by CA. Note // the commands should still be sent via CA. The dedicated listener // is specifically for HA updates only. - // For security reasons, Kea should be run as non root user, a port lower - // than 1024 should be used (e.g. 890) and, on Linux systems, the process - // should have 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 890). "http-port": 8000, // Extra HTTP headers to add in responses. diff --git a/doc/examples/agent/https.json b/doc/examples/agent/https.json index b8e459ac2e..c566c4e938 100644 --- a/doc/examples/agent/https.json +++ b/doc/examples/agent/https.json @@ -13,9 +13,7 @@ // listener is different (e.g. 8001) than the one used by CA. Note // the commands should still be sent via CA. The dedicated listener // is specifically for HA updates only. - // For security reasons, Kea should be run as non root user, a port lower - // than 1024 should be used (e.g. 890) and, on Linux systems, the process - // should have 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 890). "http-port": 8000, // TLS trust anchor (Certificate Authority). This is a file name or diff --git a/doc/examples/agent/rbac.json b/doc/examples/agent/rbac.json index 05a8c84545..fa35242f97 100644 --- a/doc/examples/agent/rbac.json +++ b/doc/examples/agent/rbac.json @@ -13,9 +13,7 @@ // listener is different (e.g. 8001) than the one used by CA. Note // the commands should still be sent via CA. The dedicated listener // is specifically for HA updates only. - // For security reasons, Kea should be run as non root user, a port lower - // than 1024 should be used (e.g. 890) and, on Linux systems, the process - // should have 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 890). "http-port": 8000, // TLS trust anchor (Certificate Authority). This is a file name or diff --git a/doc/examples/agent/simple.json b/doc/examples/agent/simple.json index ed37481fb9..f76fddc710 100644 --- a/doc/examples/agent/simple.json +++ b/doc/examples/agent/simple.json @@ -13,9 +13,7 @@ // listener is different (e.g. 8001) than the one used by CA. Note // the commands should still be sent via CA. The dedicated listener // is specifically for HA updates only. - // For security reasons, Kea should be run as non root user, a port lower - // than 1024 should be used (e.g. 890) and, on Linux systems, the process - // should have 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 890). "http-port": 8000, // Extra HTTP headers to add in responses. diff --git a/doc/examples/kea4/all-keys.json b/doc/examples/kea4/all-keys.json index 5315b37d38..cb765ce85e 100644 --- a/doc/examples/kea4/all-keys.json +++ b/doc/examples/kea4/all-keys.json @@ -173,10 +173,7 @@ // commands should still be sent to a control socket. // The dedicated listener is specifically for HA // updates only. - // For security reasons, Kea should be run as non root - // user, a port lower than 1024 should be used (e.g. 894) - // and, on Linux systems, the process should have - // 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 894). "socket-port": 8004, // TLS trust anchor (Certificate Authority). This is a diff --git a/doc/examples/kea4/ha-load-balancing-server1-mt-with-tls.json b/doc/examples/kea4/ha-load-balancing-server1-mt-with-tls.json index 733b4e6c18..a25161338f 100644 --- a/doc/examples/kea4/ha-load-balancing-server1-mt-with-tls.json +++ b/doc/examples/kea4/ha-load-balancing-server1-mt-with-tls.json @@ -162,9 +162,7 @@ // instance if multi-threading is enabled. // The "http-host" and "http-port" values must be set to different // values then the ones used by the Control Agent. - // For security reasons, Kea should be run as non root user, a port lower - // than 1024 should be used (e.g. 895) and, on Linux systems, the process - // should have 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 895). "url": "http://192.168.56.33:8005", // Trust anchor aka certificate authority file or directory. "trust-anchor": "/usr/lib/kea/CA.pem", @@ -185,10 +183,8 @@ // channel can be reached. The Control Agent is not required // to run on the partner's machine if multi-threading is enabled. // The "http-host" and "http-port" values must be set to different - // values then the ones used by the Control Agent - // For security reasons, Kea should be run as non root user, a port lower - // than 1024 should be used (e.g. 895) and, on Linux systems, the process - // should have 'CAP_NET_BIND_SERVICE' capabilities. + // values then the ones used by the Control Agent. + // For security reasons, a port lower than 1024 should be used (e.g. 895). "url": "http://192.168.56.66:8005", // Trust anchor aka certificate authority file or directory. "trust-anchor": "/usr/lib/kea/CA.pem", diff --git a/doc/examples/kea4/ha-load-balancing-server2-mt.json b/doc/examples/kea4/ha-load-balancing-server2-mt.json index e4fa98385f..528b0a5c74 100644 --- a/doc/examples/kea4/ha-load-balancing-server2-mt.json +++ b/doc/examples/kea4/ha-load-balancing-server2-mt.json @@ -161,9 +161,7 @@ // to run on the partner's machine if multi-threading is enabled. // The "http-host" and "http-port" values must be set to different // values then the ones used by the Control Agent. - // For security reasons, Kea should be run as non root user, a port lower - // than 1024 should be used (e.g. 895) and, on Linux systems, the process - // should have 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 895). "url": "http://192.168.56.33:8005", // The partner is primary. This server is secondary. "role": "primary" @@ -176,9 +174,7 @@ // instance if multi-threading is enabled. // The "http-host" and "http-port" values must be set to different // values then the ones used by the Control Agent. - // For security reasons, Kea should be run as non root user, a port lower - // than 1024 should be used (e.g. 895) and, on Linux systems, the process - // should have 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 895). "url": "http://192.168.56.66:8005", // This server is secondary. The other one must be // primary. diff --git a/doc/examples/kea6/all-keys.json b/doc/examples/kea6/all-keys.json index 1eaa975b07..8b370aa13a 100644 --- a/doc/examples/kea6/all-keys.json +++ b/doc/examples/kea6/all-keys.json @@ -124,10 +124,7 @@ // commands should still be sent to a control socket. // The dedicated listener is specifically for HA // updates only. - // For security reasons, Kea should be run as non root - // user, a port lower than 1024 should be used (e.g. 896) - // and, on Linux systems, the process should have - // 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 896). "socket-port": 8006, // TLS trust anchor (Certificate Authority). This is a diff --git a/doc/examples/kea6/ha-hot-standby-server1-with-tls.json b/doc/examples/kea6/ha-hot-standby-server1-with-tls.json index a5ae2ae927..49c100b548 100644 --- a/doc/examples/kea6/ha-hot-standby-server1-with-tls.json +++ b/doc/examples/kea6/ha-hot-standby-server1-with-tls.json @@ -94,10 +94,7 @@ // Control Agent must run along with this DHCPv6 server // instance and the "http-host" and "http-port" must be // set to the corresponding values. - // For security reasons, Kea should be run as non root - // user, a port lower than 1024 should be used (e.g. 897) - // and, on Linux systems, the process should have - // 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 897). "url": "http://192.168.56.33:8007", // This server is primary. The other one must be // standby. @@ -110,10 +107,7 @@ // channel can be reached. The Control Agent is required // to run on the partner's machine with "http-host" and // "http-port" values set to the corresponding values. - // For security reasons, Kea should be run as non root - // user, a port lower than 1024 should be used (e.g. 897) - // and, on Linux systems, the process should have - // 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 897). "url": "http://192.168.56.66:8007", // The partner is standby. This server is primary. "role": "standby" diff --git a/doc/examples/kea6/ha-hot-standby-server2.json b/doc/examples/kea6/ha-hot-standby-server2.json index dd85224cac..6335f9046a 100644 --- a/doc/examples/kea6/ha-hot-standby-server2.json +++ b/doc/examples/kea6/ha-hot-standby-server2.json @@ -85,10 +85,7 @@ // channel can be reached. The Control Agent is required // to run on the partner's machine with "http-host" and // "http-port" values set to the corresponding values. - // For security reasons, Kea should be run as non root - // user, a port lower than 1024 should be used (e.g. 897) - // and, on Linux systems, the process should have - // 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 897). "url": "http://192.168.56.33:8007", // The partner is primary. This server is standby. "role": "primary" @@ -100,10 +97,7 @@ // Control Agent must run along with this DHCPv6 server // instance and the "http-host" and "http-port" must be // set to the corresponding values. - // For security reasons, Kea should be run as non root - // user, a port lower than 1024 should be used (e.g. 897) - // and, on Linux systems, the process should have - // 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 897). "url": "http://192.168.56.66:8007", // This server is standby. The other one must be // primary. diff --git a/doc/examples/template-ha-mt-tls/kea-ca-1.conf b/doc/examples/template-ha-mt-tls/kea-ca-1.conf index 0c6a80a821..f9578b6f38 100644 --- a/doc/examples/template-ha-mt-tls/kea-ca-1.conf +++ b/doc/examples/template-ha-mt-tls/kea-ca-1.conf @@ -33,9 +33,7 @@ // listener is different (e.g. 8001) than the one used by CA. Note // the commands should still be sent via CA. The dedicated listener // is specifically for HA updates only. - // For security reasons, Kea should be run as non root user, a port lower - // than 1024 should be used (e.g. 890) and, on Linux systems, the process - // should have 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 890). "http-port": 8001, "control-sockets": diff --git a/doc/examples/template-ha-mt-tls/kea-ca-2.conf b/doc/examples/template-ha-mt-tls/kea-ca-2.conf index 2bc24a3b17..8a4e8bef70 100644 --- a/doc/examples/template-ha-mt-tls/kea-ca-2.conf +++ b/doc/examples/template-ha-mt-tls/kea-ca-2.conf @@ -33,9 +33,7 @@ // listener is different (e.g. 8001) than the one used by CA. Note // the commands should still be sent via CA. The dedicated listener // is specifically for HA updates only. - // For security reasons, Kea should be run as non root user, a port lower - // than 1024 should be used (e.g. 890) and, on Linux systems, the process - // should have 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 890). "http-port": 8001, "control-sockets": diff --git a/doc/examples/template-ha-mt-tls/kea-dhcp4-1.conf b/doc/examples/template-ha-mt-tls/kea-dhcp4-1.conf index 5c450224b1..9b3d58275c 100644 --- a/doc/examples/template-ha-mt-tls/kea-dhcp4-1.conf +++ b/doc/examples/template-ha-mt-tls/kea-dhcp4-1.conf @@ -157,9 +157,7 @@ // The Control Agent is not needed for the High Availability // with multi-threading, but if it is used, it must use // different values for "http-host" and "http-port". - // For security reasons, Kea should be run as non root user, a port - // lower than 1024 should be used (e.g. 895) and, on Linux systems, - // the process should have 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 895). "url": "http://192.168.1.2:8005", // Trust anchor aka certificate authority file or directory. "trust-anchor": "/usr/lib/kea/CA.pem", @@ -180,9 +178,7 @@ // The Control Agent is not needed for the High Availability // with multi-threading, but if it is used, it must use // different values for "http-host" and "http-port". - // For security reasons, Kea should be run as non root user, a port - // lower than 1024 should be used (e.g. 895) and, on Linux systems, - // the process should have 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 895). "url": "http://192.168.1.3:8005", // Trust anchor aka certificate authority file or directory. "trust-anchor": "/usr/lib/kea/CA.pem", diff --git a/doc/examples/template-ha-mt-tls/kea-dhcp4-2.conf b/doc/examples/template-ha-mt-tls/kea-dhcp4-2.conf index a49a9505db..27bee613c9 100644 --- a/doc/examples/template-ha-mt-tls/kea-dhcp4-2.conf +++ b/doc/examples/template-ha-mt-tls/kea-dhcp4-2.conf @@ -157,9 +157,7 @@ // The Control Agent is not needed for the High Availability // with multi-threading, but if it is used, it must use // different values for "http-host" and "http-port". - // For security reasons, Kea should be run as non root user, a port - // lower than 1024 should be used (e.g. 895) and, on Linux systems, - // the process should have 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 895). "url": "http://192.168.1.2:8005", // Trust anchor aka certificate authority file or directory. "trust-anchor": "/usr/lib/kea/CA.pem", @@ -180,9 +178,7 @@ // The Control Agent is not needed for the High Availability // with multi-threading, but if it is used, it must use // different values for "http-host" and "http-port". - // For security reasons, Kea should be run as non root user, a port - // lower than 1024 should be used (e.g. 895) and, on Linux systems, - // the process should have 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 895). "url": "http://192.168.1.3:8005", // Trust anchor aka certificate authority file or directory. "trust-anchor": "/usr/lib/kea/CA.pem", diff --git a/doc/examples/template-power-user-home/kea-ca-1.conf b/doc/examples/template-power-user-home/kea-ca-1.conf index 03f9839920..da4f19c3f4 100644 --- a/doc/examples/template-power-user-home/kea-ca-1.conf +++ b/doc/examples/template-power-user-home/kea-ca-1.conf @@ -9,9 +9,7 @@ "http-host": "192.168.1.2", // This specifies the port CA will listen on. - // For security reasons, Kea should be run as non root user, a port lower - // than 1024 should be used (e.g. 890) and, on Linux systems, the process - // should have 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 890). "http-port": 8000, "control-sockets": diff --git a/doc/examples/template-power-user-home/kea-ca-2.conf b/doc/examples/template-power-user-home/kea-ca-2.conf index dbff0250dd..bb3d0d6a33 100644 --- a/doc/examples/template-power-user-home/kea-ca-2.conf +++ b/doc/examples/template-power-user-home/kea-ca-2.conf @@ -9,9 +9,7 @@ "http-host": "192.168.1.3", // This specifies the port CA will listen on. - // For security reasons, Kea should be run as non root user, a port lower - // than 1024 should be used (e.g. 890) and, on Linux systems, the process - // should have 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 890). "http-port": 8000, "control-sockets": diff --git a/doc/examples/template-power-user-home/kea-dhcp4-1.conf b/doc/examples/template-power-user-home/kea-dhcp4-1.conf index 704d16f810..8b2e5980d2 100644 --- a/doc/examples/template-power-user-home/kea-dhcp4-1.conf +++ b/doc/examples/template-power-user-home/kea-dhcp4-1.conf @@ -121,10 +121,7 @@ // Control Agent must run along with this DHCPv4 server // instance and the "http-host" and "http-port" must be // set to the corresponding values. - // For security reasons, Kea should be run as non root user, - // a port lower than 1024 should be used (e.g. 895) and, on - // Linux systems, the process should have 'CAP_NET_BIND_SERVICE' - // capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 895). "url": "http://192.168.1.2:8005", // This server is primary. The other one must be // secondary. @@ -137,10 +134,7 @@ // channel can be reached. The Control Agent is required // to run on the partner's machine with "http-host" and // "http-port" values set to the corresponding values. - // For security reasons, Kea should be run as non root user, - // a port lower than 1024 should be used (e.g. 895) and, on - // Linux systems, the process should have 'CAP_NET_BIND_SERVICE' - // capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 895). "url": "http://192.168.1.3:8005", // The other server is secondary. This one must be // primary. diff --git a/doc/examples/template-power-user-home/kea-dhcp4-2.conf b/doc/examples/template-power-user-home/kea-dhcp4-2.conf index e6b2f25685..5d0166edd2 100644 --- a/doc/examples/template-power-user-home/kea-dhcp4-2.conf +++ b/doc/examples/template-power-user-home/kea-dhcp4-2.conf @@ -121,10 +121,7 @@ // channel can be reached. The Control Agent is required // to run on the partner's machine with "http-host" and // "http-port" values set to the corresponding values. - // For security reasons, Kea should be run as non root user, - // a port lower than 1024 should be used (e.g. 895) and, on - // Linux systems, the process should have 'CAP_NET_BIND_SERVICE' - // capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 895). "url": "http://192.168.1.2:8005", // The other server is primary. This one must be // secondary. @@ -137,10 +134,7 @@ // Control Agent must run along with this DHCPv4 server // instance and the "http-host" and "http-port" must be // set to the corresponding values. - // For security reasons, Kea should be run as non root user, - // a port lower than 1024 should be used (e.g. 895) and, on - // Linux systems, the process should have 'CAP_NET_BIND_SERVICE' - // capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 895). "url": "http://192.168.1.3:8005", // This server is secondary. The other one must be // primary. diff --git a/doc/sphinx/arm/agent.rst b/doc/sphinx/arm/agent.rst index cfcdbd0b28..0816c57121 100644 --- a/doc/sphinx/arm/agent.rst +++ b/doc/sphinx/arm/agent.rst @@ -114,9 +114,7 @@ provided above, the RESTful service will be available at the URL ``https://10.20.30.40:8000/``. If these parameters are not specified, the default URL is ``http://127.0.0.1:8000/``. -For security reasons, Kea should be run as non root user, a port lower -than 1024 should be used (e.g. 890) and, on Linux systems, the process -should have 'CAP_NET_BIND_SERVICE' capabilities. +For security reasons, a port lower than 1024 should be used (e.g. 890). When using Kea's HA hook library with multi-threading, the address:port combination used for CA must be diff --git a/doc/sphinx/arm/ddns.rst b/doc/sphinx/arm/ddns.rst index 53a6bf232e..08aa0bf8f1 100644 --- a/doc/sphinx/arm/ddns.rst +++ b/doc/sphinx/arm/ddns.rst @@ -403,9 +403,7 @@ TLS is required). The ``socket-address`` (default ``127.0.0.1``) and ``socket-port`` (default 8000) specify an IP address and port to which the HTTP service will be bound. -For security reasons, Kea should be run as non root user, a port lower -than 1024 should be used (e.g. 892) and, on Linux systems, the process -should have 'CAP_NET_BIND_SERVICE' capabilities. +For security reasons, a port lower than 1024 should be used (e.g. 892). The ``trust-anchor``, ``cert-file``, ``key-file``, and ``cert-required`` parameters specify the TLS setup for HTTP, i.e. HTTPS. If these parameters diff --git a/doc/sphinx/arm/dhcp4-srv.rst b/doc/sphinx/arm/dhcp4-srv.rst index 717f7f7b0a..ceaf0441fb 100644 --- a/doc/sphinx/arm/dhcp4-srv.rst +++ b/doc/sphinx/arm/dhcp4-srv.rst @@ -7910,9 +7910,7 @@ TLS is required). The ``socket-address`` (default ``127.0.0.1``) and ``socket-port`` (default 8000) specify an IP address and port to which the HTTP service will be bound. -For security reasons, Kea should be run as non root user, a port lower -than 1024 should be used (e.g. 894) and, on Linux systems, the process -should have 'CAP_NET_BIND_SERVICE' capabilities. +For security reasons, a port lower than 1024 should be used (e.g. 894). Since Kea 2.7.5 the ``http-headers`` parameter specifies a list of extra HTTP headers to add to HTTP responses. diff --git a/doc/sphinx/arm/dhcp6-srv.rst b/doc/sphinx/arm/dhcp6-srv.rst index 9b220c013c..14ce9793bf 100644 --- a/doc/sphinx/arm/dhcp6-srv.rst +++ b/doc/sphinx/arm/dhcp6-srv.rst @@ -7816,9 +7816,7 @@ TLS is required). The ``socket-address`` (default ``::1``) and ``socket-port`` (default 8000) specify an IP address and port to which the HTTP service will be bound. -For security reasons, Kea should be run as non root user, a port lower -than 1024 should be used (e.g. 896) and, on Linux systems, the process -should have 'CAP_NET_BIND_SERVICE' capabilities. +For security reasons, a port lower than 1024 should be used (e.g. 896). Since Kea 2.7.5 the ``http-headers`` parameter specifies a list of extra HTTP headers to add to HTTP responses. diff --git a/doc/sphinx/arm/hooks-ha.rst b/doc/sphinx/arm/hooks-ha.rst index 89e164129d..e00cb255ef 100644 --- a/doc/sphinx/arm/hooks-ha.rst +++ b/doc/sphinx/arm/hooks-ha.rst @@ -1593,9 +1593,7 @@ machine as the primary server. This configuration is valid for both the // listener is different (e.g. 8001) than the one used by CA. Note // the commands should still be sent via CA. The dedicated listener // is specifically for HA updates only. - // For security reasons, Kea should be run as non root user, a port - // lower than 1024 should be used (e.g. 890) and, on Linux systems, - // the process should have 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 890). "http-port": 8000, "control-sockets": { @@ -1687,10 +1685,7 @@ as illustrated below: // DHCPv4 server open its own socket. Note that it // must be different than the one used by the CA // (typically 8000). In this example, 8005 is used. - // For security reasons, Kea should be run as non root - // user, a port lower than 1024 should be used (e.g. 895) - // and, on Linux systems, the process should have - // 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 895). "url": "http://192.0.2.1:8005", // This server is primary. The other one must be // secondary. @@ -1704,10 +1699,7 @@ as illustrated below: // DHCPv4 server open its own socket. Note that it // must be different than the one used by the CA // (typically 8000). In this example, 8005 is used. - // For security reasons, Kea should be run as non root - // user, a port lower than 1024 should be used (e.g. 895) - // and, on Linux systems, the process should have - // 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 895). "url": "http://192.0.2.2:8005", // The partner is a secondary. This server is a // primary as specified in the previous "peers" diff --git a/doc/sphinx/arm/hooks-rbac.rst b/doc/sphinx/arm/hooks-rbac.rst index 8051fbeb49..c4a1dcc1b1 100644 --- a/doc/sphinx/arm/hooks-rbac.rst +++ b/doc/sphinx/arm/hooks-rbac.rst @@ -249,9 +249,7 @@ in the Kea source and is copied below. // listener is different (e.g. 8001) than the one used by CA. Note // the commands should still be sent via CA. The dedicated listener // is specifically for HA updates only. - // For security reasons, Kea should be run as non root user, a port lower - // than 1024 should be used (e.g. 890) and, on Linux systems, the process - // should have 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 890). "http-port": 8000, // TLS trust anchor (Certificate Authority). This is a file name or diff --git a/doc/sphinx/arm/security.rst b/doc/sphinx/arm/security.rst index 6251a8e09a..6d451c6f08 100644 --- a/doc/sphinx/arm/security.rst +++ b/doc/sphinx/arm/security.rst @@ -317,8 +317,7 @@ capabilities mechanism on Linux systems, Kea can run from an unprivileged accoun The Control Agent (CA) can accept incoming HTTP or HTTPS connections. The default port is 8000, which does not require privileged access. -For security reasons, Kea should be run as non root user, a port lower than 1024 should be used (e.g. 890) -and, on Linux systems, the process should have 'CAP_NET_BIND_SERVICE' capabilities. +For security reasons, a port lower than 1024 should be used (e.g. 890). Securing Kea Administrative Access ---------------------------------- diff --git a/src/bin/keactrl/kea-ctrl-agent.conf.pre b/src/bin/keactrl/kea-ctrl-agent.conf.pre index 6f7a366feb..600de21e1f 100644 --- a/src/bin/keactrl/kea-ctrl-agent.conf.pre +++ b/src/bin/keactrl/kea-ctrl-agent.conf.pre @@ -24,9 +24,7 @@ // listener is different (e.g. 8001) than the one used by CA. Note // the commands should still be sent via CA. The dedicated listener // is specifically for HA updates only. - // For security reasons, Kea should be run as non root user, a port lower - // than 1024 should be used (e.g. 890) and, on Linux systems, the process - // should have 'CAP_NET_BIND_SERVICE' capabilities. + // For security reasons, a port lower than 1024 should be used (e.g. 890). "http-port": 8000, // Allow access only to kea-api user.