[prev in list] [next in list] [prev in thread] [next in thread]
List: openldap-technical
Subject: Antw: [EXT] Re: Symas OpenLDAP 2.5 RPMs run slapd as root?
From: "Ulrich Windl" <Ulrich.Windl () rz ! uni-regensburg ! de>
Date: 2021-10-20 7:31:51
Message-ID: 616FC5E7020000A100044A0D () gwsmtp ! uni-regensburg ! de
[Download RAW message or body]
Hi!
Wondering about "LimitNOFILE=96": Wouldn't that limit the open sockets
(connections) as well?
Regards,
Ulrich
>>> Michael Ströder <michael@stroeder.com> schrieb am 19.10.2021 um 18:17 in
Nachricht <cfde6c8a-aee8-a5fa-02c6-5f5d6ecf0d3f@stroeder.com>:
> On 10/19/21 17:10, Quanah Gibson-Mount wrote:
>> --On Tuesday, October 19, 2021 1:00 AM -0700 "Paul B. Henson"
>> <henson@acm.org> wrote:
>>
>>> I'm testing openldap 2.5 in preparation for migration my production
>>> services, and I noticed that the 2.5 RPMs no longer create an ldap user
>>> and instead run slapd as root by default?
>>
>> If you want it to run as a non-root user, it's on you to configure it as
>> such, including said user. The majority of Symas customers run as root.
>
> IMHO there's no good reason to let systemd start slapd as root.
>
> Binding to so-called "privileged ports" can be achieved by setting these
> options in the systemd unit:
>
> CapabilityBoundingSet=CAP_NET_BIND_SERVICE
> AmbientCapabilities=CAP_NET_BIND_SERVICE
>
> Also it's good practice to use systemd's sandboxing options based on
> Linux namespaces. Read about various options called Protect*= and
> Private*= in systemd.exec(5).
>
> Nevertheless I also recommend to add a custom service account and set
> ownership/permissions with a decent config management instead of adding
> this to a RPM .spec or Debian package.
>
> Find below ae-slapd.service generated by Æ-DIR's ansible role.
>
> Ciao, Michael.
>
> # /etc/systemd/system/ae-slapd.service
> #-----------------------------------------------------------------------
> # initiate: systemctl enable ae-slapd.service
> # start: systemctl start ae-slapd.service
> # get status: systemctl status ae-slapd.service
> #
> # Ansible managed: ansible-homelan/master
> #-----------------------------------------------------------------------
>
> [Unit]
> Description=AE-DIR OpenLDAP server
> Requires=local-fs.target network.target
> After=local-fs.target network.target
>
> [Service]
> Type=simple
> Environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so.4
> Environment=LDAPNOINIT=1
> PIDFile=/run/ae-dir/slapd/slapd.pid
> ExecStart=/usr/lib64/slapd -d none -n ae-slapd -l LOCAL4 -s 7 -f
> /opt/ae-dir/etc/openldap/slapd.conf -h
> 'ldapi://%%2Frun%%2Fae-dir%%2Fslapd%%2Fldapi/????x-mod=0777 ldap://*:389
> ldaps://*:636' -o slp=off
> WorkingDirectory=/run/ae-dir/slapd
> User=ae-dir-slapd
> Group=ae-dir-slapd
> CapabilityBoundingSet=CAP_NET_BIND_SERVICE
> AmbientCapabilities=CAP_NET_BIND_SERVICE
> LimitNOFILE=96
> RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
> # various hardening options from ansible var aedir_systemd_hardening
> UMask=0077
> PrivateUsers=no
> PrivateTmp=yes
> PrivateDevices=yes
> ProtectSystem=full
> ProtectProc=invisible
> ProtectHome=yes
> ProtectKernelModules=yes
> ProtectKernelTunables=yes
> ProtectKernelLogs=yes
> ProtectControlGroups=yes
> ProtectHostname=yes
> ProtectClock=yes
> NoNewPrivileges=yes
> MountFlags=private
> SystemCallArchitectures=native
> LockPersonality=yes
> KeyringMode=private
> RestrictRealtime=yes
> RestrictNamespaces=yes
> RestrictSUIDSGID=yes
> DevicePolicy=closed
> MemoryDenyWriteExecute=yes
> SystemCallFilter=~ @clock @cpu-emulation @debug @keyring @module @mount
> @raw-io @reboot @swap @obsolete @chown @privileged @resources @pkey
> @setuid @timer
> AppArmorProfile=ae-slapd
>
> [Install]
> WantedBy=multi-user.target
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic