[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ITS#98 'user' patch for BSD systems

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: ITS#98 'user' patch for BSD systems
From: patl@phoenix.volant.org
Date: Sun, 14 Mar 1999 22:55:23 -0800 (PST)
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <HBF.990315ou39@bombur.uio.no>

> Thanks.  Then I suggest we require groups to be specified if the user is
> numeric _and_ getpwuid() failed (so run_username == NULL).  Since ps/ls
> don't do or say anything clever, people who use uids with multiple
> usernames need to know what they are doing anyway.

Sounds good to me.

> > That looks reasonable.  You might be able to simplify a little by
> > leaving ngids==0 for the initgroups case and making that final part:
> > 
> >     if ( run_uid != 0 ) {
> 
> Poor 'root' - isn't he allowed to grab a group id and use that to access
> the database? :-)  He might be mapped to 'nobody' on some relevant
> filesystem.  This seems better:

Hmm.  I'd forgotten about the NFS uid mapping.  Probably because
having a server require a database accessed via a remote filesystem
doesn't really sound like a very good idea.  But I'm sure someone
will want to do it.  They'll need to know what's going on to pick
a group; but they may have other (local) databases that require
root...

I would suggest initializing run_uid to -1 to indicate that we should
just leave the real/effective uid/gid alone; but some systems still
use that for 'nobody'.  (I've also seen -2 used.)  We may have to
go for a separate flag if we need an out-of-band signal.


> > But your version is better if we assume the possible addition of
> > separate -u and -g command-line options; and we allow -g to be
> > specified without -u.  Separate options seems likely since that
> > provides the easiest way of parsing multiple groups.
> 
> Whoever adds options can worry about that.

But we may as well make life easy for them; as long as it doesn't
make it any harder for us.

> But maybe the easiest to implement is
>      -c "slapd.conf-line"
> in any case.

I like the additional generalization.  But that would mean that we
need to set it up so that if there are multiple user commands, the
first one is used and the additional ones are ignored.  Which means
adding a test instead of letting it just use the last one.  (Note
that we don't really want to issue a warning if we find another
user statement unless we actually go to the trouble to ensure that
the first one was not from the command line.)


-Pat

Follow-Ups:
- Re: ITS#98 'user' patch for BSD systems
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

References:
- Re: ITS#98 'user' patch for BSD systems
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: ITS#98 'user' patch for BSD systems
Next by Date: Re: ITS#98 'user' patch for BSD systems
Index(es):
- Chronological
- Thread