The command removes the proc_info privilege (which allows the user to see processes owned by other users) and the file_link_any privilege (which allows the user to create hard links to files that they do not own). The command then adds the net_privaddr and sys_resource privileges, which allow the user to increase the number of file descriptors available, among other things. This command configures the oud user so that it starts with the basic privilege set (which is what non-root users have by default). To configure a user with this privilege, run the following command, as the root user: # usermod -K defaultpriv=basic,net_privaddr,sys_resource,-proc_info,-file_link_any oud If this privilege is granted to a non-root user, that user can bind to privileged ports. In particular, the net_privaddr privilege controls which users can bind to privileged ports. The privileges subsystem in Solaris makes it possible to give non-root users and roles capabilities normally available only to the root user (much like the Privilege Subsystem allows within the server). The best option, available on Solaris systems from Solaris 10 onwards, is to use the process rights management subsystem (also called least privilege).
If clients expect the server to be listening on port 389 or 636, other options are still available. For information about configuring the listen port, see Displaying the Properties of LDAP Connection Handler. If the clients know which port the server is using, then any value is allowed. Virtually all LDAP-enabled clients provide the ability to specify the port on which the server is listening. In some environments, it is common to run the server on ports above 1024 (such as 13) so that it is not necessary to be root to start it. There can be other reasons for starting as a root user (for example, the ability to use a larger number of file descriptors), but it is generally easier to configure around these other limitations.Īlthough the standard LDAP and LDAPS ports are 389 and 636, the server is not required to run on those ports.
On most UNIX-based systems only root users can create processes that listen on these ports. The standard port for LDAP communication is port 389, and the standard port for LDAPS is 636. The primary reason that servers are typically started and run as root users is so that they can listen on a privileged port (namely, ports between ). In addition, more administrative actions can be performed with the server online, because the server can do things that might not have been available after it had dropped root privileges. Running the server as a non-root user means that the administrators do not need root access to the system, which is often desirable from an operational perspective.
Often, running the server as a non-root user from the start is an option that provides greater functionality than the setuid equivalent.
0 kommentar(er)
