[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: the slapd startup problem (ITS#939)

At 03:58 PM 12/27/00 +0000, Allen.Zhao@ViAlta-Inc.com wrote:
>Full_Name: Allen Zhao
>Version: openldap-2.0.7
>OS: Linux
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (
>We can start the slapd daemon at any times (Limied by the resource). And when we
>kill one slapd process, we just kill one group processes(normal three or more
>related processes).  And we can run it as different users at the same time. 

That's as expected.

>Maybe it's not a problem, since someone like to provide different services at
>the same time on one host. But for the security reason, I think we should take
>care of this issue.

On most operating systems, users are free to create TCP listeners
(generally on a set of "non-reserved" ports).  If you don't want
your users creating TCP listeners, the solution is not application
space, but the kernel space.

>Imaging the hacker or malicious user starts the slapd with
>his own configure file to retrieve the business secret.

A slapd started by a user cannot only provide access to
information which that user has permission to read in the
first place.