3816 – oidentd runs as root and requires /etc/init.d to be edited

Bug 3816 - oidentd runs as root and requires /etc/init.d to be edited

Summary: oidentd runs as root and requires /etc/init.d to be edited

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	x86 Linux

Importance:	High normal (vote)
Assignee:	Donny Davies (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2002-06-17 12:31 UTC by David Leadbeater
Modified:	2003-02-04 19:42 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Leadbeater 2002-06-17 12:31:15 UTC

oidentd by default runs as root and if any extra options need to be added the
init script needs to be edited.

These simple patches add options from /etc/conf.d to be used:

# diff -r /usr/portage/net-misc/oidentd/files/oidentd-init /etc/init.d/oidentd
12c12,13
<       start-stop-daemon --start --quiet --exec /usr/sbin/oidentd
---
>       OPTIONS="${OPTIONS} -u ${USER} -g ${GROUP}"
>       start-stop-daemon --start --quiet --exec /usr/sbin/oidentd -- $OPTIONS


New file: /etc/conf.d/oidentd

# oidentd start-up options
USER="nobody"
GROUP="nobody"
OPTIONS=""

Comment 1 SpanKY gentoo-dev

2002-06-18 19:27:11 UTC

in order to handle IP masqueraded/NAT connections, oidentd has to run as 
root ... not sure about other type of connections

Comment 2 David Leadbeater 2002-06-19 12:45:34 UTC

I'm currently using oidentd on my debian gateway - and it handles this fine. 
nobody     235  0.0  0.7  1500  572 ?        S    Jun12   0:00 
/usr/sbin/oidentd -m -f -u nobody -g nogroup 
 
it's running linux 2.4 as well. 
I suppose if you are using grsecurity then it might restrict 
/proc/net/ip_contrack, but in that case just run oidentd in an allowed group - 
no need to run it as root if it doesn't need it.

Comment 3 SpanKY gentoo-dev

2002-06-19 18:26:22 UTC

hmm, i swear i read somewhere oh so long ago root was required to read masq 
info ... but you're right, that proc file is open to everyone ...

then how to you bind to ports sub 1024 if its not running as root ?

Comment 4 David Leadbeater 2002-06-20 05:59:54 UTC

I think you might have needed root for reading masq information on linux 2.2. 
It initially has root privlages but after it has bind the port it can drop 
privledges to a normal user.

Comment 5 phoen][x 2002-06-21 13:22:20 UTC

oidentd was my first ebuild - sorry for the root problem :)
i built in some check_config(), to check if $USER and $GROUP are set.

-phoen][x-

gravity init.d # diff -ru /usr/portage/net-misc/oidentd/files/oidentd-init
/etc/init.d/oidentd
--- /usr/portage/net-misc/oidentd/files/oidentd-init    Thu Apr 11 00:24:08 2002
+++ /etc/init.d/oidentd Fri Jun 21 20:23:10 2002
@@ -4,12 +4,28 @@
 # /space/gentoo/cvsroot/gentoo-x86/net-misc/oidentd/files/oidentd-init,v 1.1
2002/04/10 22:24:08 woodchip Exp
 
 depend() {
-       need net
+    need net
 }
 
+check_config() {
+       if [ -z "${USER}" ]
+       then
+               eerror "Please set \$USER in /etc/conf.d/oidentd!"
+               return 1
+       fi
+       if [ -z "${GROUP}" ]
+       then
+               eerror "Please set \$GROUP in /etc/conf.d/oidentd!"
+               return 1
+       fi
+}
+
+
 start() {
+       check_config || return 1
        ebegin "Starting oidentd"
-       start-stop-daemon --start --quiet --exec /usr/sbin/oidentd
+       OPTIONS="${OPTIONS} -u ${USER} -g ${GROUP}"
+       start-stop-daemon --start --quiet --exec /usr/sbin/oidentd -- $OPTIONS
        eend $?
 }