Bug 185712
Summary: | Documentation should be clear about server user id | ||
---|---|---|---|
Product: | [Retired] 389 | Reporter: | Mont Rothstein <mont_rothstein> |
Component: | wiki | Assignee: | Deon Ballard <dlackey> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | ecs-bugs |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 1.0 | CC: | rcritten |
Target Milestone: | --- | Keywords: | Documentation |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-06-21 23:14:56 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 152373, 240316, 427409 |
Description
Mont Rothstein
2006-03-17 01:34:54 UTC
Running as root and starting as root aren't the same thing. In order to use a port < 1024 the server needs to start as root. Once the port has been opened the server can drop root privileges and run as another user. This is what is being recommended. I won't argure that what you describe is the way it should be done, I don't know enough to have an opinion, but that isn't what the docs currently describe. From: http://www.redhat.com/docs/manuals/dir-server/install/7.1/sn.prepare.decide.html#SN.PREPARE.UNIQUE.PORT "Directory Server must be run as root if it will listen on either port 389 or 636." And then from: http://www.redhat.com/docs/manuals/dir-server/install/7.1/sn.prepare.decide.html#SN.PREPARE.USER.GROUP "For security reasons, it is always best to run production servers with normal user privileges. That is, you do not want to run Directory Server with root privileges. However, you will have to run Directory Server with root privileges if you are using the default Directory Server ports." These all use the term "run" and not "start" and implied to me that the default port should not be used for production servers. So, when I setup FDS I created a dsuser account and picked a port > 1024. Again, this may be a bug in the install doc more than the AdminServerLDAPMgmt doc, but at this point the two conflict which causes pain for newbies like me. Not sure who owns the install guide, but we need to be very clear about this. BrianC, can you make sure this is addressed in the Install Guide? User bcleary's account has been closed Moving Status to 'Assigned' This should be clarified in the 8.0 docs (cf. beta install guide): "If you are using ports below 1024, such as the default LDAP port (389), you must run the setup program and start the servers as root. You do not, however, have to set the server user ID to root. When it starts, the server binds and listens to its port as root, then immediately drops its privileges and runs as the non-root server user ID. When the system restarts, the server is started as root by the initscript. The setuid(2) man page has detailed technical information. "Section 1.2.2, “Directory Server User and Group” has more information about the server user ID." See http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide-Preparing_for_a_Directory_Server_Installation-Port_Number.html. Changing modifieds to ON_QA. (In reply to comment #8) > This should be clarified in the 8.0 docs (cf. beta install guide): > > "If you are using ports below 1024, such as the default LDAP port (389), you > must run the setup program and start the servers as root. You do not, however, > have to set the server user ID to root. When it starts, the server binds and > listens to its port as root, then immediately drops its privileges and runs as > the non-root server user ID. When the system restarts, the server is started as > root by the initscript. The setuid(2) man page has detailed technical information. > > "Section 1.2.2, “Directory Server User and Group” has more information about the > server user ID." > > See > http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide-Preparing_for_a_Directory_Server_Installation-Port_Number.html. http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.0/html/Installation_Guide/Installation_Guide-Preparing_for_a_Directory_Server_Installation-Considerations.html#Installation_Guide-Preparing_for_a_Directory_Server_Installation-Port_Number Verified: Red_Hat_Directory_Server-Installation_Guide-8.0-web-en-US-8.0.5-5.el5 Closing. |