# oidentd only works when run as root



## foghorn (Jul 17, 2010)

Hello

I installed oidentd on freebsd 8 on my server with install options no natq and ipv6 enabled.

Now when i run the program as root, it works fine. But when i run it as nobody or as a similar oidentd-user it doesn't work. I've set the required config files owned by the right user/group, and when it is not able to access a config file, it mentions this. But now no error messages appear.

My best guess is that the mechanism used to find out what user is connecting at port x only works as root.

Maybe someone else knows a solution?


----------



## DutchDaemon (Jul 17, 2010)

Only root can *start* services on ports < 1024, so you'll need to start it as root anyway. According to oidentd(8) you can define -u/-g to drop root privileges after start-up.


----------



## foghorn (Jul 17, 2010)

Yes that's exactly what i meant, using the u/g options.
I don't know of another way of starting the process as nobody.


----------



## DutchDaemon (Jul 17, 2010)

You mean _running_ the process as nobody? You can only _start_ it as root because the daemon needs to bind to a privileged port.


----------



## foghorn (Jul 17, 2010)

Maybe this will clear things up


```
[foghorn@boxname /usr/ports/security/oidentd]$ sudo /usr/local/sbin/oidentd -C /usr/local/etc/oidentd.conf -u oidentd -g oidentd -d -i
Connection from 194.109.129.220:53047
[194.109.129.220] 20705 , 6667 : ERROR : NO-USER
^C
[foghorn@boxname /usr/ports/security/oidentd]$ sudo /usr/local/sbin/oidentd -C /usr/local/etc/oidentd.conf -d -i                      
Connection from 208.167.236.6:18339
[208.167.236.6] Successful lookup: 33290 , 6667 : foghorn (foghorn)
^C
```
What I do here is start the daemon in debug mode and output all messages directly.
Then i trigger an auth request by connecting to some irc server.
As you can see, the regular (as root, of course, how else) runs as expected, but when using another user, could be nobody, but here it is another similar user named oidentd, it doesn't work.
At least some parts of the port binding work, since it sends back a reply. But it isn't able to figure out what user is connecting at port 20705, for some reason.


----------



## fwaggle (Jul 18, 2010)

DutchDaemon said:
			
		

> Only root can *start* services on ports < 1024, so you'll need to start it as root anyway. According to oidentd(8) you can define -u/-g to drop root privileges after start-up.



FWIW, this behavior is tunable via sysctl(8):


```
net.inet.ip.portrange.reservedhigh: 1023
```

It's 100% not the right approach to getting oidentd running the way you want it, but it's interesting nonetheless.


----------

