Logged in as guest
Viewing Software Enhancements/5356 Full headers
Major security issue: yes no
Notes: Notification:
Date: Thu, 7 Feb 2008 06:22:11 GMT From: rra@stanford.edu To: openldap-its@OpenLDAP.org Subject: Catching index ownership errors
Full_Name: Russ Allbery Version: 2.4.7 OS: Debian GNU/Linux URL: Submission from: (NULL) (171.66.157.16) One of the most common problems we see in Debian with people new to OpenLDAP is that they run slapindex as root when they're running their directory server as a non-root user and hence break the file ownership and the database. Would it be possible to add a check in slapindex where, if slapindex is running as root and the database files are owned by a different user, it would either refuse to run (possibly overideable by a flag) or at least print a warning saying that ownership may have to be fixed later? One possible problem, I know, is that the names of the database files are a matter for the database backend and slapindex really shouldn't know what they are. But maybe the check could somehow be added to back-bdb and back-hdb and exposed for slapindex to use?
From: Buchan Milne <bgmilne@staff.telkomsa.net> To: rra@stanford.edu Subject: Re: (ITS#5356) Catching index ownership errors Date: Thu, 7 Feb 2008 16:16:34 +0200 Cc: openldap-its@openldap.org
On Thursday 07 February 2008 08:22:12 rra@stanford.edu wrote: > One of the most common problems we see in Debian with people new to > OpenLDAP is that they run slapindex as root when they're running their > directory server as a non-root user and hence break the file ownership and > the database. Maybe your init script should die if the files and directories aren't writable by the user you run slapd as. There are more ways (than slapindex) to break file ownership.
To: Buchan Milne <bgmilne@staff.telkomsa.net> Cc: openldap-its@openldap.org Subject: Re: (ITS#5356) Catching index ownership errors From: Russ Allbery <rra@stanford.edu> Date: Thu, 07 Feb 2008 10:48:40 -0800
Buchan Milne <bgmilne@staff.telkomsa.net> writes: > On Thursday 07 February 2008 08:22:12 rra@stanford.edu wrote: >> One of the most common problems we see in Debian with people new to >> OpenLDAP is that they run slapindex as root when they're running their >> directory server as a non-root user and hence break the file ownership >> and the database. > > Maybe your init script should die if the files and directories aren't > writable by the user you run slapd as. > > There are more ways (than slapindex) to break file ownership. There is, and we should probably also do that, but slapindex is far and away the most common and it would be cool if we could catch the problem before it happens instead of just warning afterwards. -- Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no> Date: Thu, 7 Feb 2008 20:19:04 +0100 To: rra@stanford.edu Cc: openldap-its@openldap.org Subject: Re: (ITS#5356) Catching index ownership errors
rra@stanford.edu writes: >> There are more ways (than slapindex) to break file ownership. > > There is, and we should probably also do that, but slapindex is far and > away the most common and it would be cool if we could catch the problem > before it happens instead of just warning afterwards. slapadd has the same problem. For that matter, starting slapd without -u can mess up for when you restart with -u. So we can just as well make it general: If root opens a database for writing, fail instead if the directory or database file is not owned by root. Unless a slapd.conf option says differently I guess. Not sure if the default should be to check that for slapd as well as the tools. -- Hallvard
To: openldap-its@openldap.org Subject: Re: (ITS#5356) Catching index ownership errors From: Russ Allbery <rra@stanford.edu> Date: Thu, 07 Feb 2008 12:19:54 -0800
Hallvard B Furuseth <h.b.furuseth@usit.uio.no> writes: > slapadd has the same problem. For that matter, starting slapd without > -u can mess up for when you restart with -u. So we can just as well > make it general: If root opens a database for writing, fail instead if > the directory or database file is not owned by root. Unless a > slapd.conf option says differently I guess. Not sure if the default > should be to check that for slapd as well as the tools. That would be awesome. I think checking for slapd as well makes sense. -- Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
______________ © Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org
