[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ITS#98 'user' patch for BSD systems
patl@phoenix.volant.org writes:
> I would suggest initializing run_uid to -1 to indicate that we should
> just leave the real/effective uid/gid alone; but some systems still
> use that for 'nobody'. (I've also seen -2 used.) We may have to
> go for a separate flag if we need an out-of-band signal.
Back to ngids = -1...
BTW, I prefer names slap_ngids, slap_uid and so on. Without some
namespace cleanup we'll have a clash with a backend variable some day.
>> Whoever adds options can worry about that.
>
> But we may as well make life easy for them; as long as it doesn't
> make it any harder for us.
I think we are talking about having to change to 1 or 2 lines here.
>> But maybe the easiest to implement is
>> -c "slapd.conf-line"
>> in any case.
>
> I like the additional generalization. But that would mean that we
> need to set it up so that if there are multiple user commands, the
> first one is used and the additional ones are ignored. Which means
> adding a test instead of letting it just use the last one.
OK...
> (Note that we don't really want to issue a warning if we find another
> user statement unless we actually go to the trouble to ensure that the
> first one was not from the command line.)
Why not? I'd think exactly the opposite: 'user' is mostly a security
feature, and the program should abort if it can't/won't obey the
requested security.
--
Hallvard