Scott Roberts wrote: > Thanks Pete. > > so the steps... > create user and group > install directory as root > set server user and group to user and group created > setup will do this for you. > Does "installing" the directory as root affect how the > DS starts (or anything else for that matter)? No. In fact, you have to install the RPM as root. > And if I > set the server user and group to something I create, > will the DS start as them? The DS will start as root, and start the server listening to ports 389/636, then the server will "drop privileges" to run as the non-root user (nobody:nobody by default). > Trying to ascertain if I > need to config the DS startup in the OS to switch > users. Probably a common thing in rc.local or whatever > and I'm an idiot :) > No, the server just does it automatically. As long as you specify the user to use during setup. > Again thanks for answering the newb question. I just > need to research linux more and get this baby running > the correct way. > > --- Pete Rowley <prowley at redhat.com> wrote: > > >> Scott Roberts wrote: >> >>> New to linux and was wondering what is the best >>> practice for choosing a user and group for running >>> applications? Is running an app as root the normal >>> thing to do? >>> >> no >> >>> Is running apps as root a bad thing? >>> >> yes >> >>> Huge >>> security risk? >>> >> yes >> >>> Sorry for the stupid question but have >>> seen different docs saying what to run a directory >>> >> as. >> >>> The RH docs say if you want to run directory on >>> default ports run as root. Thats what I plan to >>> >> do. >> >>> >>> >> This refers to starting the DS, but the DS is >> configured to run as >> another user/group. When the DS starts up it opens >> the ports it >> requires and then changes to the configured >> user/group in order that >> under normal running conditions it has a lower >> security profile. >> Starting the DS as root is required to open ports >> 389 and 636, the >> designated LDAP and LDAPS ports, but please do >> configure the server to >> switch to a user/group which you have created >> specifically for the DS. >> >> >> -- >> Pete >> >> >>> -- >>> >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060916/b29f457d/attachment.bin
