OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Enhancements/5356
Full headers

From: rra@stanford.edu
Subject: Catching index ownership errors
Compose comment
Download message
State:
0 replies:
4 followups: 1 2 3 4

Major security issue: yes  no

Notes:

Notification:


Date: Thu, 7 Feb 2008 06:22:11 GMT
From: rra@stanford.edu
To: openldap-its@OpenLDAP.org
Subject: Catching index ownership errors
Full_Name: Russ Allbery
Version: 2.4.7
OS: Debian GNU/Linux
URL: 
Submission from: (NULL) (171.66.157.16)


One of the most common problems we see in Debian with people new to OpenLDAP is
that they run slapindex as root when they're running their directory server as a
non-root user and hence break the file ownership and the database.

Would it be possible to add a check in slapindex where, if slapindex is running
as root and the database files are owned by a different user, it would either
refuse to run (possibly overideable by a flag) or at least print a warning
saying that ownership may have to be fixed later?

One possible problem, I know, is that the names of the database files are a
matter for the database backend and slapindex really shouldn't know what they
are.  But maybe the check could somehow be added to back-bdb and back-hdb and
exposed for slapindex to use?


Followup 1

Download message
From: Buchan Milne <bgmilne@staff.telkomsa.net>
To: rra@stanford.edu
Subject: Re: (ITS#5356) Catching index ownership errors
Date: Thu, 7 Feb 2008 16:16:34 +0200
Cc: openldap-its@openldap.org
On Thursday 07 February 2008 08:22:12 rra@stanford.edu wrote:
> One of the most common problems we see in Debian with people new to
> OpenLDAP is that they run slapindex as root when they're running their
> directory server as a non-root user and hence break the file ownership and
> the database.

Maybe your init script should die if the files and directories aren't writable 
by the user you run slapd as.

There are more ways (than slapindex) to break file ownership.



Followup 2

Download message
To: Buchan Milne <bgmilne@staff.telkomsa.net>
Cc: openldap-its@openldap.org
Subject: Re: (ITS#5356) Catching index ownership errors
From: Russ Allbery <rra@stanford.edu>
Date: Thu, 07 Feb 2008 10:48:40 -0800
Buchan Milne <bgmilne@staff.telkomsa.net> writes:
> On Thursday 07 February 2008 08:22:12 rra@stanford.edu wrote:

>> One of the most common problems we see in Debian with people new to
>> OpenLDAP is that they run slapindex as root when they're running their
>> directory server as a non-root user and hence break the file ownership
>> and the database.
>
> Maybe your init script should die if the files and directories aren't
> writable by the user you run slapd as.
>
> There are more ways (than slapindex) to break file ownership.

There is, and we should probably also do that, but slapindex is far and
away the most common and it would be cool if we could catch the problem
before it happens instead of just warning afterwards.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>



Followup 3

Download message
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Thu, 7 Feb 2008 20:19:04 +0100
To: rra@stanford.edu
Cc: openldap-its@openldap.org
Subject: Re: (ITS#5356) Catching index ownership errors
rra@stanford.edu writes:
>> There are more ways (than slapindex) to break file ownership.
>
> There is, and we should probably also do that, but slapindex is far and
> away the most common and it would be cool if we could catch the problem
> before it happens instead of just warning afterwards.

slapadd has the same problem.  For that matter, starting slapd without
-u can mess up for when you restart with -u.  So we can just as well
make it general: If root opens a database for writing, fail instead if
the directory or database file is not owned by root.  Unless a
slapd.conf option says differently I guess.  Not sure if the
default should be to check that for slapd as well as the tools.

-- 
Hallvard



Followup 4

Download message
To: openldap-its@openldap.org
Subject: Re: (ITS#5356) Catching index ownership errors
From: Russ Allbery <rra@stanford.edu>
Date: Thu, 07 Feb 2008 12:19:54 -0800
Hallvard B Furuseth <h.b.furuseth@usit.uio.no> writes:

> slapadd has the same problem.  For that matter, starting slapd without
> -u can mess up for when you restart with -u.  So we can just as well
> make it general: If root opens a database for writing, fail instead if
> the directory or database file is not owned by root.  Unless a
> slapd.conf option says differently I guess.  Not sure if the default
> should be to check that for slapd as well as the tools.

That would be awesome.  I think checking for slapd as well makes sense.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org