[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: breaking up slap_init_user() for better chroot functionality

To: Daniel Ott <dott@ncchristian.org>
Subject: Re: breaking up slap_init_user() for better chroot functionality
From: Pierangelo Masarati <ando@sys-net.it>
Date: Tue, 12 Oct 2004 23:13:46 +0200
Cc: OpenLDAP-devel@OpenLDAP.org
References: <416B2F4F.3010606@ncchristian.org>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Daniel Ott wrote:

I attempted a minimal chroot installation of slapd today which failed due to the following error:
/etc/pwd.db: No such file or directory
After reading through the source for main.c and user.c and the discussions on the devel mailing list about the addition of the chroot feature I'm left wondering if slap_init_user() should be rewritten in two pieces. The first part of slap_init_user() currently does uid and gid lookups in the system databases and the second part drops privilege. If broken up, the first part could then be called before the chroot allowing for chroot installs without having to copy /etc/pwd.db to ${CHROOTDIR}/etc/pwd.db.
I'm looking at the 2.2.17 tar ball.
Is this sane or am I missing something?

I note that usually setuid() is seen as an alternative to chroot(), i.e. either the server runs as root in a sandbag, or it runs in the real world with limited privileges; having both sounds a bit excessive.

Ciao, p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: breaking up slap_init_user() for better chroot functionality
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- breaking up slap_init_user() for better chroot functionality
  - From: Daniel Ott <dott@ncchristian.org>

Prev by Date: Re: breaking up slap_init_user() for better chroot functionality
Next by Date: Re: breaking up slap_init_user() for better chroot functionality
Index(es):
- Chronological
- Thread