Red Hat Bugzilla – Bug 185712
Documentation should be clear about server user id
Last modified: 2012-06-21 19:14:56 EDT
Description of problem:
In the Fedora Directory Server install docs is strongly suggests that FDS not be
run as root, and therefore that the default port not be used. Following these
instructions the ldapsearch commands in the Howto:AdminServerLDAPMgmt need a -p
option with the user's chosen ldsp server port.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Running as root and starting as root aren't the same thing.
In order to use a port < 1024 the server needs to start as root. Once the port
has been opened the server can drop root privileges and run as another user.
This is what is being recommended.
I won't argure that what you describe is the way it should be done, I don't know
enough to have an opinion, but that isn't what the docs currently describe.
"Directory Server must be run as root if it will listen on either port 389 or 636."
And then from:
"For security reasons, it is always best to run production servers with normal
user privileges. That is, you do not want to run Directory Server with root
privileges. However, you will have to run Directory Server with root privileges
if you are using the default Directory Server ports."
These all use the term "run" and not "start" and implied to me that the default
port should not be used for production servers. So, when I setup FDS I created
a dsuser account and picked a port > 1024.
Again, this may be a bug in the install doc more than the AdminServerLDAPMgmt
doc, but at this point the two conflict which causes pain for newbies like me.
Not sure who owns the install guide, but we need to be very clear about this.
BrianC, can you make sure this is addressed in the Install Guide?
User firstname.lastname@example.org's account has been closed
Moving Status to 'Assigned'
This should be clarified in the 8.0 docs (cf. beta install guide):
"If you are using ports below 1024, such as the default LDAP port (389), you
must run the setup program and start the servers as root. You do not, however,
have to set the server user ID to root. When it starts, the server binds and
listens to its port as root, then immediately drops its privileges and runs as
the non-root server user ID. When the system restarts, the server is started as
root by the initscript. The setuid(2) man page has detailed technical information.
"Section 1.2.2, “Directory Server User and Group” has more information about the
server user ID."
Changing modifieds to ON_QA.
(In reply to comment #8)
> This should be clarified in the 8.0 docs (cf. beta install guide):
> "If you are using ports below 1024, such as the default LDAP port (389), you
> must run the setup program and start the servers as root. You do not, however,
> have to set the server user ID to root. When it starts, the server binds and
> listens to its port as root, then immediately drops its privileges and runs as
> the non-root server user ID. When the system restarts, the server is started as
> root by the initscript. The setuid(2) man page has detailed technical information.
> "Section 1.2.2, “Directory Server User and Group” has more information about the
> server user ID."