On 10/19/21 17:10, Quanah Gibson-Mount wrote:
--On Tuesday, October 19, 2021 1:00 AM -0700 "Paul B. Henson" henson@acm.org wrote:
I'm testing openldap 2.5 in preparation for migration my production services, and I noticed that the 2.5 RPMs no longer create an ldap user and instead run slapd as root by default?
If you want it to run as a non-root user, it's on you to configure it as such, including said user. The majority of Symas customers run as root.
IMHO there's no good reason to let systemd start slapd as root.
Binding to so-called "privileged ports" can be achieved by setting these options in the systemd unit:
CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE
Also it's good practice to use systemd's sandboxing options based on Linux namespaces. Read about various options called Protect*= and Private*= in systemd.exec(5).
Nevertheless I also recommend to add a custom service account and set ownership/permissions with a decent config management instead of adding this to a RPM .spec or Debian package.
Find below ae-slapd.service generated by Æ-DIR's ansible role.
Ciao, Michael.
# /etc/systemd/system/ae-slapd.service #----------------------------------------------------------------------- # initiate: systemctl enable ae-slapd.service # start: systemctl start ae-slapd.service # get status: systemctl status ae-slapd.service # # Ansible managed: ansible-homelan/master #-----------------------------------------------------------------------
[Unit] Description=AE-DIR OpenLDAP server Requires=local-fs.target network.target After=local-fs.target network.target
[Service] Type=simple Environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so.4 Environment=LDAPNOINIT=1 PIDFile=/run/ae-dir/slapd/slapd.pid ExecStart=/usr/lib64/slapd -d none -n ae-slapd -l LOCAL4 -s 7 -f /opt/ae-dir/etc/openldap/slapd.conf -h 'ldapi://%%2Frun%%2Fae-dir%%2Fslapd%%2Fldapi/????x-mod=0777 ldap://*:389 ldaps://*:636' -o slp=off WorkingDirectory=/run/ae-dir/slapd User=ae-dir-slapd Group=ae-dir-slapd CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE LimitNOFILE=96 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX # various hardening options from ansible var aedir_systemd_hardening UMask=0077 PrivateUsers=no PrivateTmp=yes PrivateDevices=yes ProtectSystem=full ProtectProc=invisible ProtectHome=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectKernelLogs=yes ProtectControlGroups=yes ProtectHostname=yes ProtectClock=yes NoNewPrivileges=yes MountFlags=private SystemCallArchitectures=native LockPersonality=yes KeyringMode=private RestrictRealtime=yes RestrictNamespaces=yes RestrictSUIDSGID=yes DevicePolicy=closed MemoryDenyWriteExecute=yes SystemCallFilter=~ @clock @cpu-emulation @debug @keyring @module @mount @raw-io @reboot @swap @obsolete @chown @privileged @resources @pkey @setuid @timer AppArmorProfile=ae-slapd
[Install] WantedBy=multi-user.target