LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   non-root bind to port 389 (http://www.linuxquestions.org/questions/linux-server-73/non-root-bind-to-port-389-a-572463/)

biddljj 07-26-2007 11:31 AM

non-root bind to port 389
 
Red Hat Linux ES 4

Sun Directory 6.0

I need to execute my directory server using a non root userid

Command line sudo works fine for starting the server
- server process is owned by uid=ldapsrv

Remote starts use the ldapsrv account to start the
ldap server. Start fails due to ldapsrv not being
allowed to bind to port 389.

[26/Jul/2007:08:59:51 -0500] - ERROR<12362> - Connection - conn=-1 op=-1 msgId=-1 - PR_Bind() on address <all interfaces> port <389> failed : error -5966 (Access Denied.).


If I change the port used by the LDAP server to a
high number life is good.

Question: How do I allow userid ldapsrv to start
software than binds to port 389 ?

wjevans_7d1@yahoo.co 07-26-2007 12:44 PM

In theory, only root can bind to a port < 1024.

I see only two possibilities, both of them ugly.

First: modify the source of your kernel so that the restriction is removed. This opens a huge security hole.

Second: modify the source of the directory server so that the first three things it does are:
  1. change the effective UID to root;
  2. bind a socket to port 389; and
  3. change the effective UID to ldapsrv
Then make sure the executable is owned by root, and change the protection on the executable so the SUID bit is on.

Hope this helps.


All times are GMT -5. The time now is 12:46 PM.