New to linux and was wondering what is the best practice for choosing a user and group for running applications? Is running an app as root the normal thing to do? Is running apps as root a bad thing? Huge security risk? Sorry for the stupid question but have seen different docs saying what to run a directory as. The RH docs say if you want to run directory on default ports run as root. Thats what I plan to do. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Scott Roberts wrote:> New to linux and was wondering what is the best > practice for choosing a user and group for running > applications? Is running an app as root the normal > thing to do?no> Is running apps as root a bad thing?yes> Huge > security risk?yes> Sorry for the stupid question but have > seen different docs saying what to run a directory as. > The RH docs say if you want to run directory on > default ports run as root. Thats what I plan to do. > >This refers to starting the DS, but the DS is configured to run as another user/group. When the DS starts up it opens the ports it requires and then changes to the configured user/group in order that under normal running conditions it has a lower security profile. Starting the DS as root is required to open ports 389 and 636, the designated LDAP and LDAPS ports, but please do configure the server to switch to a user/group which you have created specifically for the DS. -- Pete
Scott Roberts
2006-Sep-16 19:55 UTC
Re: [Fedora-directory-users] run as root? newb question
Thanks Pete. so the steps... create user and group install directory as root set server user and group to user and group created Does "installing" the directory as root affect how the DS starts (or anything else for that matter)? And if I set the server user and group to something I create, will the DS start as them? Trying to ascertain if I need to config the DS startup in the OS to switch users. Probably a common thing in rc.local or whatever and I''m an idiot :) Again thanks for answering the newb question. I just need to research linux more and get this baby running the correct way. --- Pete Rowley <prowley@redhat.com> wrote:> Scott Roberts wrote: > > New to linux and was wondering what is the best > > practice for choosing a user and group for running > > applications? Is running an app as root the normal > > thing to do? > no > > Is running apps as root a bad thing? > yes > > Huge > > security risk? > yes > > Sorry for the stupid question but have > > seen different docs saying what to run a directory > as. > > The RH docs say if you want to run directory on > > default ports run as root. Thats what I plan to > do. > > > > > This refers to starting the DS, but the DS is > configured to run as > another user/group. When the DS starts up it opens > the ports it > requires and then changes to the configured > user/group in order that > under normal running conditions it has a lower > security profile. > Starting the DS as root is required to open ports > 389 and 636, the > designated LDAP and LDAPS ports, but please do > configure the server to > switch to a user/group which you have created > specifically for the DS. > > > -- > Pete > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users>__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Richard Megginson
2006-Sep-16 20:39 UTC
Re: [Fedora-directory-users] run as root? newb question
Scott Roberts wrote:> Thanks Pete. > > so the steps... > create user and group > install directory as root > set server user and group to user and group created >setup will do this for you.> Does "installing" the directory as root affect how the > DS starts (or anything else for that matter)?No. In fact, you have to install the RPM as root.> And if I > set the server user and group to something I create, > will the DS start as them?The DS will start as root, and start the server listening to ports 389/636, then the server will "drop privileges" to run as the non-root user (nobody:nobody by default).> Trying to ascertain if I > need to config the DS startup in the OS to switch > users. Probably a common thing in rc.local or whatever > and I''m an idiot :) >No, the server just does it automatically. As long as you specify the user to use during setup.> Again thanks for answering the newb question. I just > need to research linux more and get this baby running > the correct way. > > --- Pete Rowley <prowley@redhat.com> wrote: > > >> Scott Roberts wrote: >> >>> New to linux and was wondering what is the best >>> practice for choosing a user and group for running >>> applications? Is running an app as root the normal >>> thing to do? >>> >> no >> >>> Is running apps as root a bad thing? >>> >> yes >> >>> Huge >>> security risk? >>> >> yes >> >>> Sorry for the stupid question but have >>> seen different docs saying what to run a directory >>> >> as. >> >>> The RH docs say if you want to run directory on >>> default ports run as root. Thats what I plan to >>> >> do. >> >>> >>> >> This refers to starting the DS, but the DS is >> configured to run as >> another user/group. When the DS starts up it opens >> the ports it >> requires and then changes to the configured >> user/group in order that >> under normal running conditions it has a lower >> security profile. >> Starting the DS as root is required to open ports >> 389 and 636, the >> designated LDAP and LDAPS ports, but please do >> configure the server to >> switch to a user/group which you have created >> specifically for the DS. >> >> >> -- >> Pete >> >> >>> -- >>> >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >