[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5166) Wrong DBD's database permissions when slapd starts

Well, well. Forgive me for saying that now you're beeing a little narrow 
If programs that belong to software like openldap (such as slapadd) do 
'setuid()' themselves then end users (and administrators):
  - Need to remember (or know) less things;
  - Need to type less;
  - Have fewer chances to break the working state of stuff, which in 
turn spares people time (Google'ing, Bug reports, your response, etc.)

Not that I'm saying that life is easy, but shouldn't we try to bring 
ease to life if we can?
 From this K.I.S.S. point-of-view is wildly guessed that slapadd not 
setuid'ing was a bug.
If you wish to prevent future events for other users, you should 
consider this a bug.

I won't bother you again.
I'll just 'chown openlpad:openldap /usr/sbin/slapadd' and then 'chmod 
a+s /usr/sbin/slapadd' as it should be more than enough to avoid future 
events for me.

Thank your time and promptly reply.
I don't know if you get payd for doing this stuff, but you should. 
Starting in November Google for 'science ,not fiction'.

Thanks again.

Pedro RA

Pierangelo Masarati escreveu:
> pedrorandrade@gmail.com wrote:
>> One workaround is issuing 'sudo -u openldap slapadd ...' to avoid 
>> chown'ing afterwards.
> What you call a workaround is actually The Right Thing (TM).  There is
> no way to setuid() tools simply because there's no need to, as they can
> be run with the right identity.  The only reason slapd can be setuid()
> is that it needs to start as root in order to bind to port 389, and
> **then** setuid() before doing anything else.  Running programs as the
> correct user is normal UNIX administration - or should OpenLDAP also
> document ls, rm, ...?
> p.
> Ing. Pierangelo Masarati
> OpenLDAP Core Team
> SysNet s.r.l.
> via Dossi, 8 - 27100 Pavia - ITALIA
> http://www.sys-net.it
> ---------------------------------------
> Office:  +39 02 23998309
> Mobile:  +39 333 4963172
> Email:   pierangelo.masarati@sys-net.it
> ---------------------------------------