[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ldapdb and ldapi:/// (unix socket connection) file permissions

To: Howard Chu <hyc@highlandsun.com>
Subject: RE: ldapdb and ldapi:/// (unix socket connection) file permissions
From: Edward Rudd <eddie@omegaware.com>
Date: 04 Jun 2003 23:38:59 -0500
Cc: "'OpenLDAP'" <openldap-software@OpenLDAP.org>, "'Cyrus-SASL'" <cyrus-sasl@lists.andrew.cmu.edu>
In-reply-to: <003101c32aff$8d0862f0$6c01a8c0@CELLO>
Organization:
References: <003101c32aff$8d0862f0$6c01a8c0@CELLO>

OK.. Cool thanks...
Will this stuff be added to the openldap Administrators guide?? As the
documentation on how to create/connect to a unix socket  would be very
helpful information to have in there.. Or at least a FAQ entry.. 

Did you catch my makefile patch for ldapdb on the sasl mailing list??
It also patches the ldapdb.c (removing the very last line and having it
created in the ldapdb_init.c by the makeinit.sh) so that it can be
statically linked as well..(though I don't know anyone that does that)

On Wed, 2003-06-04 at 20:12, Howard Chu wrote:
> > -----Original Message-----
> > From: owner-cyrus-sasl@lists.andrew.cmu.edu
> > [mailto:owner-cyrus-sasl@lists.andrew.cmu.edu]On Behalf Of Edward Rudd
> 
> > I've found the problem with this..
> > OpenLDAP creates the unix domain sockets with the permissions
> > 600 which
> > has the lovely side effect of not being able to be used by cyrus-imapd
> > OR postfix (via cyrus-sasl) due to the fact that both run as
> > a NON root user..
> 
> You must be running Linux... (I don't recall you mentioning OS version
> before.) Most Unix systems ignore the mode bits on a Unix domain socket, and
> so access control must be exercised on the socket's parent directory.
> 
> By the way, you can always have your slapd startup script do an explicit
> chown/chmod on the socket after it's created...
> 
> > Is there an easy way to change the default permissions and groups
> > ownership that this socket gets created? So that I could create a
> > "shadow" group that cyrus and postix belong to.. (I am
> > assuming there is
> > a good security reason as to why that file was created
> > read/writable by root only)
> > Thanks..
> 
> When the ldapi mechanism was first introduced, it was intended as a fast,
> secure connection that didn't require any Bind/authentication. Security was
> to be provided by virtue of having the privilege to open the socket. Now that
> the SASL/EXTERNAL mech is supported over ldapi we can keep it fast and
> secure, *and* provide authentication. As such, it may not be necessary to
> keep the socket locked down as it is. Currently the code accepts a
> non-standard URL extension for specifying the socket permissions. I'm
> thinking we should remove this in 2.2 and just leave the socket wide open,
> and rely on Binding to take care of authentication issues, just as with any
> normal TCP connection.
> 
> Use the x-mod extension to set the permission bits:
> 	slapd -h 'ldapi://%2ftmp%2fldapi/???x-mod=777'
> will create the /tmp/ldapi socket with 0777 permissions.
> 
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
-- 
Edward Rudd <eddie@omegaware.com>

References:
- RE: ldapdb and ldapi:/// (unix socket connection) file permissions
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Problem with openldap/pam & tls
Next by Date: Re: Secure LDAP
Index(es):
- Chronological
- Thread