oidentd by default runs as root and if any extra options need to be added the init script needs to be edited. These simple patches add options from /etc/conf.d to be used: # diff -r /usr/portage/net-misc/oidentd/files/oidentd-init /etc/init.d/oidentd 12c12,13 < start-stop-daemon --start --quiet --exec /usr/sbin/oidentd --- > OPTIONS="${OPTIONS} -u ${USER} -g ${GROUP}" > start-stop-daemon --start --quiet --exec /usr/sbin/oidentd -- $OPTIONS New file: /etc/conf.d/oidentd # oidentd start-up options USER="nobody" GROUP="nobody" OPTIONS=""
in order to handle IP masqueraded/NAT connections, oidentd has to run as root ... not sure about other type of connections
I'm currently using oidentd on my debian gateway - and it handles this fine. nobody 235 0.0 0.7 1500 572 ? S Jun12 0:00 /usr/sbin/oidentd -m -f -u nobody -g nogroup it's running linux 2.4 as well. I suppose if you are using grsecurity then it might restrict /proc/net/ip_contrack, but in that case just run oidentd in an allowed group - no need to run it as root if it doesn't need it.
hmm, i swear i read somewhere oh so long ago root was required to read masq info ... but you're right, that proc file is open to everyone ... then how to you bind to ports sub 1024 if its not running as root ?
I think you might have needed root for reading masq information on linux 2.2. It initially has root privlages but after it has bind the port it can drop privledges to a normal user.
oidentd was my first ebuild - sorry for the root problem :) i built in some check_config(), to check if $USER and $GROUP are set. -phoen][x- gravity init.d # diff -ru /usr/portage/net-misc/oidentd/files/oidentd-init /etc/init.d/oidentd --- /usr/portage/net-misc/oidentd/files/oidentd-init Thu Apr 11 00:24:08 2002 +++ /etc/init.d/oidentd Fri Jun 21 20:23:10 2002 @@ -4,12 +4,28 @@ # /space/gentoo/cvsroot/gentoo-x86/net-misc/oidentd/files/oidentd-init,v 1.1 2002/04/10 22:24:08 woodchip Exp depend() { - need net + need net } +check_config() { + if [ -z "${USER}" ] + then + eerror "Please set \$USER in /etc/conf.d/oidentd!" + return 1 + fi + if [ -z "${GROUP}" ] + then + eerror "Please set \$GROUP in /etc/conf.d/oidentd!" + return 1 + fi +} + + start() { + check_config || return 1 ebegin "Starting oidentd" - start-stop-daemon --start --quiet --exec /usr/sbin/oidentd + OPTIONS="${OPTIONS} -u ${USER} -g ${GROUP}" + start-stop-daemon --start --quiet --exec /usr/sbin/oidentd -- $OPTIONS eend $? }