[Date Prev][Date Next]
Re: breaking up slap_init_user() for better chroot functionality
Howard Chu wrote:
Kurt D. Zeilenga wrote:
At 07:58 AM 10/12/2004, Daniel Ott wrote:To expand on this - it is standard practice to use a customized
password database inside a chroot'd environment, not the "real" system
database. Altering the behavior here would prevent the use of such a
Why do you think the suggested split would change command line
Because the modifications would change the password
I can see why you'd want to have a separate password database if you're
trying to chroot-jail several daemons or remote logins but as far as
running a single daemon chroot'd I can't say I'm convinced. I've looked
at a few other deamons and found that most do the db lookups before the
chroot. ISC's named even has this comment in the source:
* Get the user and group information before changing the root
* directory, so the administrator does not need to keep a copy
* of the user and group databases in the chroot'ed environment.
It seems to me that daemons that do the lookups after the chroot avoid
this discussion because there is alot going on related to users after
the chroot. ftp sessions... mail deliveries in some mail servers... and
that's probably the case here with the shell, perl and passwd backends.
Anyway, I won't harp on it anymore. Thanks for the discussion, adding
clarification to the man page and all your work on the project as a whole.