Usually I configure my services to run as non-root. I am going to be installing AM (realm mode) with Sun web server as the web container. Read in the manual about non-root install and it does not seem to be a problem. Are there any other issues to be concerned about? Do people usually run AM as root? Are there issues with java and running scripts?
Not really. Its just the usual (ports greater than 1023 and things like that). All components can be turned to non-root after installing as root.
Its only the Directory server which is tricky, so if you want it to run as non-root, I'd suggest you do that during the installation itself. Other than that, its pretty straightforward.
And, oh yes, if you know of a way to convert an installed instance of Directory server to run as a non-root user, I'd sincerely appreciate the help.
The reason why a non-root process must listen on a port greater than 1023 is traditional Unix security. Ports less than 1024 were "trusted". For example, a web server would normally run on 80 / 443, an SMTP server on 25, and so on. The reason this mechanism was adopted was to prevent user's who have access to the machine to start rogue services which may fool other's into revealing sensitive information (say I run a script emulating a telnet service on port 23, and capture everyone's password before letting them log in...).
Thanks for that page. I just found the mechanism provided there too convoluted! ;)
The odd thing is though that this is a solved problem. Web servers normally listen on port 80 and port 443 because they start as root, grab the port and then drop privs and their ownership changes to a non-root web server account. Best of both worlds secure not root account AND listening on normal ports. Sun web server and directory server, both can do this just fine and in fact is their default mode of operation if you tell them to run as a non-root account on installation.So I've been unclear as why this was suggested in the docs. I thought maybe there was some java deamons running as part of access manager which would fail, but don't know if this is true.The directory server on the other hand has nothing special about which should prevent it from running on port 389 or 636 and allowing it to drop privs to a non-root account.
If you're running Solaris 10, you can use the S10 net_privaddr privilege to let a non-root user run Directory Server on a port < 1024. For example:
useradd -c "Directory Server reserved UID" -d / dirservd
groupadd dirservd
usermod -G dirservd dirservd
usermod -K defaultpriv=basic,net_privaddr dirservd
HTH,
David
Well its easy to do a JES install with the confgiure now and install directory, and web server with non-root users. Note do each install in a separate session. And yes they start as root and then switch to non-root. AM is what i am worried about :)
I wish the previously mentioned installation manual showed how to do a access manager "configure now" install for non-root as well, instead of later. I get a admin screen as the first page of the AM config now install which is not the amadmin but something else, I assume the web container. Nor sure what to do with configure now settings for AM. Do I set some or all users to non-root user of web container?
