[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4750) libldap initialization of ~/.ldaprc and setuid

To: Russ Allbery <rra@debian.org>
Subject: Re: (ITS#4750) libldap initialization of ~/.ldaprc and setuid
From: Howard Chu <hyc@symas.com>
Date: Tue, 14 Nov 2006 23:25:59 -0800
Cc: 387467@bugs.debian.org, openldap-bugs@openldap.org, pkg-openldap-devel@lists.alioth.debian.org
In-reply-to: <878xidteic.fsf@windlord.stanford.edu>
References: <E1GjmZS-0003Wy-Is@alioth.debian.org> <86CAE48AF837524C728A57A3@SW-90-717-287-3.stanford.edu> <87odraznm8.fsf@windlord.stanford.edu> <BFAC2EFBB99E38D3EA35DC6C@SW-90-717-287-3.stanford.edu> <20061115022804.GC19172@borges.dodds.net> <7A6F8890417F9E17701E4506@SW-90-717-287-3.stanford.edu> <87bqn9whwj.fsf@windlord.stanford.edu> <7877A822AFF63CAD5F8007B4@SW-90-717-287-3.stanford.edu> <87velhv0wh.fsf_-_@windlord.stanford.edu> <455A99A7.2060006@symas.com> <874pt1uwz3.fsf@windlord.stanford.edu> <455AAFA3.2050309@symas.com> <878xidteic.fsf@windlord.stanford.edu>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061109 Netscape/7.2 (ax) Firefox/1.5 SeaMonkey/1.5a

Russ Allbery wrote:

I assume from the ldap.conf documentation that if tls_cacertfile is set,
tls_cacertdir is irrelevant?  Or are both explored for a root cert to
validate the remote server?


Both will get used.

I think that if both the NSS and PAM modules deal with those variables,
that removes most of my concern.  I'd still feel generally better with a
safety net in the library for setuid processes on the principle of defense
in depth and because safely using the LDAP library in such a situation
requires thinking more about configuration initialization than I think
some users may realize, but I'll freely admit that my concern at that
point is theoretical.

I'm not totally convinced yet, will think about it. The patch would have to be #ifdef'd (HAVE_GETEUID or something) since it would not be relevant on Windows and some other obscure platforms. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/

References:
- Re: (ITS#4750) libldap initialization of ~/.ldaprc and setuid
  - From: Russ Allbery <rra@debian.org>
- Re: (ITS#4750) libldap initialization of ~/.ldaprc and setuid
  - From: Howard Chu <hyc@symas.com>
- Re: (ITS#4750) libldap initialization of ~/.ldaprc and setuid
  - From: Russ Allbery <rra@debian.org>
- Re: (ITS#4750) libldap initialization of ~/.ldaprc and setuid
  - From: Howard Chu <hyc@symas.com>
- Re: (ITS#4750) libldap initialization of ~/.ldaprc and setuid
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: (ITS#4750) libldap initialization of ~/.ldaprc and setuid
Next by Date: (ITS#4753) Minor section error in slapo-retcode manpage
Index(es):
- Chronological
- Thread