'Antw: [EXT] Re: Symas OpenLDAP 2.5 RPMs run slapd as root?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-technical
Subject:    Antw: [EXT] Re: Symas OpenLDAP 2.5 RPMs run slapd as root?
From:       "Ulrich Windl" <Ulrich.Windl () rz ! uni-regensburg ! de>
Date:       2021-10-20 7:31:51
Message-ID: 616FC5E7020000A100044A0D () gwsmtp ! uni-regensburg ! de
[Download RAW message or body]

Hi!

Wondering about "LimitNOFILE=96": Wouldn't that limit the open sockets
(connections) as well?

Regards,
Ulrich

>>> Michael Ströder <michael@stroeder.com> schrieb am 19.10.2021 um 18:17 in
Nachricht <cfde6c8a-aee8-a5fa-02c6-5f5d6ecf0d3f@stroeder.com>:
> On 10/19/21 17:10, Quanah Gibson-Mount wrote:
>> --On Tuesday, October 19, 2021 1:00 AM -0700 "Paul B. Henson" 
>> <henson@acm.org> wrote:
>> 
>>> I'm testing openldap 2.5 in preparation for migration my production
>>> services, and I noticed that the 2.5 RPMs no longer create an ldap user
>>> and instead run slapd as root by default?
>> 
>> If you want it to run as a non-root user, it's on you to configure it as 
>> such, including said user.  The majority of Symas customers run as root.
> 
> IMHO there's no good reason to let systemd start slapd as root.
> 
> Binding to so-called "privileged ports" can be achieved by setting these 
> options in the systemd unit:
> 
> CapabilityBoundingSet=CAP_NET_BIND_SERVICE
> AmbientCapabilities=CAP_NET_BIND_SERVICE
> 
> Also it's good practice to use systemd's sandboxing options based on 
> Linux namespaces. Read about various options called Protect*= and 
> Private*= in systemd.exec(5).
> 
> Nevertheless I also recommend to add a custom service account and set 
> ownership/permissions with a decent config management instead of adding 
> this to a RPM .spec or Debian package.
> 
> Find below ae-slapd.service generated by Æ-DIR's ansible role.
> 
> Ciao, Michael.
> 
> # /etc/systemd/system/ae-slapd.service
> #-----------------------------------------------------------------------
> # initiate:   systemctl enable ae-slapd.service
> # start:      systemctl start ae-slapd.service
> # get status: systemctl status ae-slapd.service
> #
> # Ansible managed: ansible-homelan/master
> #-----------------------------------------------------------------------
> 
> [Unit]
> Description=AE-DIR OpenLDAP server
> Requires=local-fs.target network.target
> After=local-fs.target network.target
> 
> [Service]
> Type=simple
> Environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so.4
> Environment=LDAPNOINIT=1
> PIDFile=/run/ae-dir/slapd/slapd.pid
> ExecStart=/usr/lib64/slapd -d none -n ae-slapd -l LOCAL4 -s 7 -f 
> /opt/ae-dir/etc/openldap/slapd.conf -h 
> 'ldapi://%%2Frun%%2Fae-dir%%2Fslapd%%2Fldapi/????x-mod=0777 ldap://*:389 
> ldaps://*:636' -o slp=off
> WorkingDirectory=/run/ae-dir/slapd
> User=ae-dir-slapd
> Group=ae-dir-slapd
> CapabilityBoundingSet=CAP_NET_BIND_SERVICE
> AmbientCapabilities=CAP_NET_BIND_SERVICE
> LimitNOFILE=96
> RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
> # various hardening options from ansible var aedir_systemd_hardening
> UMask=0077
> PrivateUsers=no
> PrivateTmp=yes
> PrivateDevices=yes
> ProtectSystem=full
> ProtectProc=invisible
> ProtectHome=yes
> ProtectKernelModules=yes
> ProtectKernelTunables=yes
> ProtectKernelLogs=yes
> ProtectControlGroups=yes
> ProtectHostname=yes
> ProtectClock=yes
> NoNewPrivileges=yes
> MountFlags=private
> SystemCallArchitectures=native
> LockPersonality=yes
> KeyringMode=private
> RestrictRealtime=yes
> RestrictNamespaces=yes
> RestrictSUIDSGID=yes
> DevicePolicy=closed
> MemoryDenyWriteExecute=yes
> SystemCallFilter=~ @clock @cpu-emulation @debug @keyring @module @mount 
> @raw-io @reboot @swap @obsolete @chown @privileged @resources @pkey 
> @setuid @timer
> AppArmorProfile=ae-slapd
> 
> [Install]
> WantedBy=multi-user.target


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic