Hi Steve,
If I remember rightly, by default the server is started as root (to be able to open the listening ports) then switch to nsslapd-localuser (which is usually not privileged)
That said, I routinely run 389ds directly as a non-root user (mostly for development and debugging purposes) so it is possible to do it.
There is a bit more than what you listed but not much. (I do not change the instance configuration files but rather directly the template files ( defaults.inf for the user and paths and template-dse*.ldif to disable by default some plugins) then I create new instances with dscreate as usual:
For my part I had to disable pwdchan-plugin from the template-dse*.ldif but that is more likely because I use a custom build without RUST rather than the fact I start the server while logged in with an unprivileged user.
Have fun !
Pierre
If I remember rightly, by default the server is started as root (to be able to open the listening ports) then switch to nsslapd-localuser (which is usually not privileged)
That said, I routinely run 389ds directly as a non-root user (mostly for development and debugging purposes) so it is possible to do it.
There is a bit more than what you listed but not much. (I do not change the instance configuration files but rather directly the template files ( defaults.inf for the user and paths and template-dse*.ldif to disable by default some plugins) then I create new instances with dscreate as usual:
- Make sure to use non privileged port when creating instance
- Modify the defaults.inf to change the paths towards writable (by the user) directories (beware of path loke /run or /var/run )
For my part I had to disable pwdchan-plugin from the template-dse*.ldif but that is more likely because I use a custom build without RUST rather than the fact I start the server while logged in with an unprivileged user.
Have fun !
Pierre
On Mon, Jan 10, 2022 at 8:52 AM Steve F <steve.falzon@xxxxxxxxxxx> wrote:
Hello!
Currently dscontainer will start, configure and run ds-389 as a root user. I am wondering if there is support to run as a non-root user?
It is as simple as chown'ing the files to a non privileged user, updating nsslapd-localuser to the correct user, then running dscontainer -r as the unprivileged user?
Or will this break some other functionality?
Cheers,
Steve
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
389 Directory Server Development Team
389 Directory Server Development Team
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
