[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Slapd should give up root permission after binding the socket (ITS#98)



Ben Collins writes:
>On Wed, Mar 10, 1999 at 03:56:49AM +0000, dboreham@netscape.com wrote:
>> Of course you need to open the config file before
>> the identity change, otherwise you wouldn't know
>> what to change your identity to.
> 
> You would also have to have this user/group attribute come before any
> of the database definitions or else a database might still be opened by
> root.

As long as the "user" command in slapd.conf is given before any command
which opens the databases, that should be early enough.  The "user"
command could abort with an error message if it is given afterwards,
maybe except if the database is opened in read-only mode.  I suggest
that if no user is specified, slapd should change uid to the owner of
slapd.conf, or maybe of the database files of the first "database"
command.

> I think the best solution is command line arguments, that way it
> switches immediately, and independently of config file attributes.

Personally I dislike command line arguments for configuration.  I'd
prefer to go the opposite way: Provide slapd.conf statements that can be
used instead of most of the command line arguments.  But of course I
don't slapd having command line arguments in addition, as long as I
don't have to use them:-)

> The other solution is running under inetd which would allow you to
> specify the user to run as, but performance, inetd usage isn't
> preferable to most.

Hm... actually we _could_ use a similar approach: If the sysadmin
doesn't trust the great big slapd program, he could use a small program
which opens a socket as root, changes uid, and starts slapd with that
socket as file descriptor 0.

-- 
Hallvard