Full_Name: Russ Allbery Version: 2.4.7 OS: Debian GNU/Linux URL: Submission from: (NULL) (171.66.157.16) One of the most common problems we see in Debian with people new to OpenLDAP is that they run slapindex as root when they're running their directory server as a non-root user and hence break the file ownership and the database. Would it be possible to add a check in slapindex where, if slapindex is running as root and the database files are owned by a different user, it would either refuse to run (possibly overideable by a flag) or at least print a warning saying that ownership may have to be fixed later? One possible problem, I know, is that the names of the database files are a matter for the database backend and slapindex really shouldn't know what they are. But maybe the check could somehow be added to back-bdb and back-hdb and exposed for slapindex to use?
moved from Incoming to Software Enhancements
On Thursday 07 February 2008 08:22:12 rra@stanford.edu wrote: > One of the most common problems we see in Debian with people new to > OpenLDAP is that they run slapindex as root when they're running their > directory server as a non-root user and hence break the file ownership and > the database. Maybe your init script should die if the files and directories aren't writable by the user you run slapd as. There are more ways (than slapindex) to break file ownership.
Buchan Milne <bgmilne@staff.telkomsa.net> writes: > On Thursday 07 February 2008 08:22:12 rra@stanford.edu wrote: >> One of the most common problems we see in Debian with people new to >> OpenLDAP is that they run slapindex as root when they're running their >> directory server as a non-root user and hence break the file ownership >> and the database. > > Maybe your init script should die if the files and directories aren't > writable by the user you run slapd as. > > There are more ways (than slapindex) to break file ownership. There is, and we should probably also do that, but slapindex is far and away the most common and it would be cool if we could catch the problem before it happens instead of just warning afterwards. -- Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
rra@stanford.edu writes: >> There are more ways (than slapindex) to break file ownership. > > There is, and we should probably also do that, but slapindex is far and > away the most common and it would be cool if we could catch the problem > before it happens instead of just warning afterwards. slapadd has the same problem. For that matter, starting slapd without -u can mess up for when you restart with -u. So we can just as well make it general: If root opens a database for writing, fail instead if the directory or database file is not owned by root. Unless a slapd.conf option says differently I guess. Not sure if the default should be to check that for slapd as well as the tools. -- Hallvard
Hallvard B Furuseth <h.b.furuseth@usit.uio.no> writes: > slapadd has the same problem. For that matter, starting slapd without > -u can mess up for when you restart with -u. So we can just as well > make it general: If root opens a database for writing, fail instead if > the directory or database file is not owned by root. Unless a > slapd.conf option says differently I guess. Not sure if the default > should be to check that for slapd as well as the tools. That would be awesome. I think checking for slapd as well makes sense. -- Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
This only really applies to a slapadd for cn=config now that back-bdb/hdb are retired. In that case just do a recursive chown -R on the config db after running slapadd.