oidentd only works when run as root

F

foghorn

Hello

I installed oidentd on freebsd 8 on my server with install options no natq and ipv6 enabled.

Now when i run the program as root, it works fine. But when i run it as nobody or as a similar oidentd-user it doesn't work. I've set the required config files owned by the right user/group, and when it is not able to access a config file, it mentions this. But now no error messages appear.

My best guess is that the mechanism used to find out what user is connecting at port x only works as root.

Maybe someone else knows a solution?
 
Only root can start services on ports < 1024, so you'll need to start it as root anyway. According to oidentd(8) you can define -u/-g to drop root privileges after start-up.
 
Yes that's exactly what i meant, using the u/g options.
I don't know of another way of starting the process as nobody.
 
You mean running the process as nobody? You can only start it as root because the daemon needs to bind to a privileged port.
 
Maybe this will clear things up

Code: 
[foghorn@boxname /usr/ports/security/oidentd]$ sudo /usr/local/sbin/oidentd -C /usr/local/etc/oidentd.conf -u oidentd -g oidentd -d -i
Connection from 194.109.129.220:53047
[194.109.129.220] 20705 , 6667 : ERROR : NO-USER
^C
[foghorn@boxname /usr/ports/security/oidentd]$ sudo /usr/local/sbin/oidentd -C /usr/local/etc/oidentd.conf -d -i                      
Connection from 208.167.236.6:18339
[208.167.236.6] Successful lookup: 33290 , 6667 : foghorn (foghorn)
^C
What I do here is start the daemon in debug mode and output all messages directly.
Then i trigger an auth request by connecting to some irc server.
As you can see, the regular (as root, of course, how else) runs as expected, but when using another user, could be nobody, but here it is another similar user named oidentd, it doesn't work.
At least some parts of the port binding work, since it sends back a reply. But it isn't able to figure out what user is connecting at port 20705, for some reason.
 
DutchDaemon said:
Only root can start services on ports < 1024, so you'll need to start it as root anyway. According to oidentd(8) you can define -u/-g to drop root privileges after start-up.
Click to expand...

FWIW, this behavior is tunable via sysctl(8):

Code: 
net.inet.ip.portrange.reservedhigh: 1023

It's 100% not the right approach to getting oidentd running the way you want it, but it's interesting nonetheless.
 
You must log in or register to reply here.
Back
Top