Why is dxserver owned by root?  As part of our installations, when installing EEM (with root), we tell it we want the ownership to be ID 'user', which is reflected for all other files correctly as user. However, for dxserver it seems to install as root. Is there a reason for this?

The dxserver process, a core component of Embedded Entitlements Manager (EEM), is owned by the root user primarily for security and operational reasons related to privileged port binding on UNIX/Linux systems.

The Primary Reason: Binding to Privileged Ports
The main reason the dxserver executable is owned by root and has the setuid (sticky bit) permission is that operating systems restrict the use of ports below 1024 to the root user.

• Default Port: EEM's dxserver (CA Directory) defaults to using port 509, which is a privileged port.
• setuid Permission: The dxserver executable has the setuid bit set (-rwsr-x---). This allows the process to be started by a non-root user (typically the dsa user) but to execute with root privileges. This elevation is necessary for the process to bind to port 509.
• Process Failure: If dxserver cannot run as root, it will fail to register the required ports and will shut down, often with errors like DSA_E1990 Cannot register SNMP address and DSA_E1280 Error in initialization files in the alarm logs. This can happen if the filesystem where EEM is installed is mounted with a nosetuid restriction.

How it Works in Practice

1. Ownership and Permissions: The dxserver binary is owned by root and has permissions such as 4750 (-rwsr-x---).
2. Process Initiation: The service is typically started by the dsa user (the default user for CA Directory services).
3. Privilege Escalation: Because of the setuid bit, when the dsa user executes dxserver, the operating system kernel grants the process root privileges for its execution.
4. Port Binding: Now running as root, the process can successfully bind to port 509.
5. Log File Access: While the process runs as root, the log files in the $DXHOME/logs directory must be writable by the dsa user, as the process may drop privileges for certain operations or require the initiating user to have write access. If log files are owned by root, dxserver can fail to start because the dsa user cannot write to them.