[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ITS#98 'user' patch for BSD systems

patl@phoenix.volant.org writes:
> I would suggest initializing run_uid to -1 to indicate that we should
> just leave the real/effective uid/gid alone; but some systems still
> use that for 'nobody'.  (I've also seen -2 used.)  We may have to
> go for a separate flag if we need an out-of-band signal.

Back to ngids = -1...

BTW, I prefer names slap_ngids, slap_uid and so on.  Without some
namespace cleanup we'll have a clash with a backend variable some day.

>> Whoever adds options can worry about that.
> But we may as well make life easy for them; as long as it doesn't
> make it any harder for us.

I think we are talking about having to change to 1 or 2 lines here.

>> But maybe the easiest to implement is
>>      -c "slapd.conf-line"
>> in any case.
> I like the additional generalization.  But that would mean that we
> need to set it up so that if there are multiple user commands, the
> first one is used and the additional ones are ignored.  Which means
> adding a test instead of letting it just use the last one.


> (Note that we don't really want to issue a warning if we find another
> user statement unless we actually go to the trouble to ensure that the
> first one was not from the command line.)

Why not?  I'd think exactly the opposite: 'user' is mostly a security
feature, and the program should abort if it can't/won't obey the
requested security.