Dropping Privileges

It is highly recommended not to run internet-facing services as root. For this reason, oidentd attempts to switch to an unprivileged user automatically after starting up.

Please note that oidentd is required to run as root on a small number of systems. On these systems, a warning is printed at startup, and privileges are not dropped automatically. In this case, it is recommended to confine the oidentd process in some other way. Your system is affected by this limitation if oidentd --version prints “Needs root access: Yes”.

Default User

By default, oidentd attempts to run as one of the following users, in order of preference. If a user does not exist, oidentd tries to use the next one.

  • oidentd
  • nobody

As a last resort, oidentd switches to user ID 65534 if neither of the above users exists.

Default Group

By default, oidentd attempts to run as one of the following groups, in order of preference. If a group does not exist, oidentd tries to use the next one.

  • oidentd
  • nobody
  • nogroup

As a last resort, oidentd switches to group ID 65534 if none of the above groups exist.

Changing This Behavior

The --user and --group options can be used to run oidentd as another user or group, respectively. oidentd will refuse to start up if the user or group specified by either of these options does not exist, or if privileges cannot be dropped for some other reason.