[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4709) Insufficient permissions on PF_LOCAL sockets

Full_Name: Ivan Nejgebauer
Version: 2.3.27
OS: Linux 2.6 (Ubuntu)
URL: ftp://ftp.openldap.org/incoming/ivan-nejgebauer-061012.patch
Submission from: (NULL) (

Linux, as opposed to other *NIXes, honors PF_LOCAL socket file mode bits, so a
user must have the write permission to use the socket. OpenLDAP bind()s its
PF_LOCAL sockets without any special arrangements, so the resulting socket's
permissions are governed by the current umask. Since the umask is usually 022 or
002, the socket ends up not being world-writable, making it unusable for users
other than root.

Earlier OpenLDAP releases recognized a non-standard "x-mod" URL extension for
manipulating socket permissions, and the parsing code is still there, but its
results are unused.

With the attached patch, PF_LOCAL sockets are always created world-writable by
setting the umask to zero before bind(). The previous umask is restored
immediately afterwards. Umask manipulation shouldn't affect PF_UNIX bind()s, so
I haven't surrounded it with #ifdef LDAP_PF_LOCAL.