Re: slapd 2.2.24 will not start as non root user

["Brett @Google" <brett.maxfield@gmail.com>]

On Tue, Mar 1, 2011 at 8:30 PM, Iain M Conochie <iain@shihad.org> wrote:

> Does ldap://XXXXX.XXXXXXXX.XXX have a port >= 1024 at the end ?

Nope

>
> If default of 389,  must be root to listen.

Interesting....


ps -ef |grep slapd
ldap     30749     1  0 10:23 ?        00:00:00
/opt/openldap/libexec/slapd -u ldap -g ldap -h ldap://XXXX02.XXXXXX.org
ldaps://XXXX02.XXXXXX.org

netstat -anlp|grep slapd
tcp        0      0 192.168.1.36:389        0.0.0.0:*               LISTEN
    30749/slapd
tcp        0      0 192.168.1.36:636        0.0.0.0:*               LISTEN
    30749/slapd

This is with version 2.4.13, which as you can see is running as user ldap
and bound to 2 ports < 1024

A process that starts as root can choose to give up it's root permission after
binding the privileged port, and switch to a given userid/group. I presume
slapd switches to user "ldap", you don't need to be privileged to accept
connections once the privileged listening socket has been bound by root.

As a security feature, once the process gives up root permissions, it cannot get
them back, but it can still use the socket previously bound by root as it keeps
a reference to the socket so it can listen on it for connections.
 

So slapd is able to start and bind to the port. I though this used a
mechanism like that of apache whereby the daemon starts as root and then
binds to the ports, then drops the privileges to the non-root user, or am
I missing something?

Nope. Apache needs to start as root if listen port <1024, it then gives up it's
permission for the worker threads that actually do the work. The session leader
still runs as root, but it does not do any actual work but manage the non-root
children.

Re: apache non-root here is a link you might be interested in :

http://jsdelfino.blogspot.com/2010/03/binding-to-port-80-without-running-as.html

It is a small program which takes a root-owned port and redirects the traffic to
an unprivileged port. I don't see the point myself, but it might be good for people
that have high security requirements (or are happily paranoid).

For me, something like iptables (forward) / rinetd (but another program) might be
just as good, and this would work for both apache and slapd.

Once the FORWARD rule is configured (by root) in iptables, you could then run
your server process on any non-privileged port and could run it as a non-root
user and start / stop / manage it as a non-root user.

The incoming 80/389 connection would be redirected to port 50080,50389 or
something like that, which would be where your non-root server process listens.

Cheers
Brett