[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Posix group with /etc/ldap.conf read priv



On Mon, 14 Jun 2010, Ariel wrote:

I don't like having the /etc/ldap.conf world readable [...]
Advice?

And you didn't chmod /etc/passwd and /etc/group too? What if people get valuable information out of those? You can't do this and be POSIX multi-user; getgr*/getpw* are unprivileged operations. Your users should be able to get some output with getent(1), and your users should be able to get the same output with "cat /etc/ldap.conf" and a bit of thought, and any attempts to make that harder will be a waste of time on your part. Change back the permissions, or change your OS.

Now, with all this said, if your users can get *more* information with "cat /etc/ldap.conf" and thought than getent(1) provides, that may well be a configuration error on your part, which would be appropriate to discuss on this list...