[Date Prev][Date Next]
(ITS#7541) nssov cannot create socket directory
Full_Name: Ryan Steele
OS: Ubuntu, RedHat
Submission from: (NULL) (18.104.22.168)
According to https://github.com/gcp/openldap/blob/master/contrib/slapd-modules/nssov/nssov.c#L808,
nssov tries to create the socket/PID directory /var/run/nslcd if it does not
exist. However, that mkdir attempt will always fail because slapd runs as a
non-privileged user and the permissions on /var/run are, appropriately,
root:root and 755. As a result, when a system using slapd+nssov is rebooted,
slapd fails to start and user lookups thusly fail until /var/run/nslcd is
manually created so that slapd can be started.
Traditionally, things in /var/run are created via init scripts, since they run
as root. Once that is done, privileges can be dropped and the daemon started.
Given that nssov is a contrib overlay, we could make a separate init script for
nssov that runs before slapd's and creates the appropriate directory in
/var/run. Alternatively, we could make --with-nslcd-pidfile and
--with-nslcd-socket configurable post-install options instead of being set in
stone at compile time, making it possible to set the PID/socket directory to
something we know will exist and have the right perms, like /var/run/slapd
It would probably make sense to remove the mkdir-related lines from nssov.c
entirely, since non-privileged users do not have write perms on /var/run. I
consider this a pretty serious issue, as it prevents the software from working.