[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ldapdb and ldapi:/// (unix socket connection) file permissions

To: "'Edward Rudd'" <eddie@omegaware.com>, "'OpenLDAP'" <openldap-software@OpenLDAP.org>, "'Cyrus-SASL'" <cyrus-sasl@lists.andrew.cmu.edu>
Subject: RE: ldapdb and ldapi:/// (unix socket connection) file permissions
From: "Howard Chu" <hyc@highlandsun.com>
Date: Wed, 4 Jun 2003 18:12:26 -0700
Importance: Normal
In-reply-to: <1054772991.3769.60.camel@urkle.vernon.hills>

> -----Original Message-----
> From: owner-cyrus-sasl@lists.andrew.cmu.edu
> [mailto:owner-cyrus-sasl@lists.andrew.cmu.edu]On Behalf Of Edward Rudd

> I've found the problem with this..
> OpenLDAP creates the unix domain sockets with the permissions
> 600 which
> has the lovely side effect of not being able to be used by cyrus-imapd
> OR postfix (via cyrus-sasl) due to the fact that both run as
> a NON root user..

You must be running Linux... (I don't recall you mentioning OS version
before.) Most Unix systems ignore the mode bits on a Unix domain socket, and
so access control must be exercised on the socket's parent directory.

By the way, you can always have your slapd startup script do an explicit
chown/chmod on the socket after it's created...

> Is there an easy way to change the default permissions and groups
> ownership that this socket gets created? So that I could create a
> "shadow" group that cyrus and postix belong to.. (I am
> assuming there is
> a good security reason as to why that file was created
> read/writable by root only)
> Thanks..

When the ldapi mechanism was first introduced, it was intended as a fast,
secure connection that didn't require any Bind/authentication. Security was
to be provided by virtue of having the privilege to open the socket. Now that
the SASL/EXTERNAL mech is supported over ldapi we can keep it fast and
secure, *and* provide authentication. As such, it may not be necessary to
keep the socket locked down as it is. Currently the code accepts a
non-standard URL extension for specifying the socket permissions. I'm
thinking we should remove this in 2.2 and just leave the socket wide open,
and rely on Binding to take care of authentication issues, just as with any
normal TCP connection.

Use the x-mod extension to set the permission bits:
	slapd -h 'ldapi://%2ftmp%2fldapi/???x-mod=777'
will create the /tmp/ldapi socket with 0777 permissions.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Follow-Ups:
- RE: ldapdb and ldapi:/// (unix socket connection) file permissions
  - From: Edward Rudd <eddie@omegaware.com>

References:
- ldapdb and ldapi:/// (unix socket connection) file permissions
  - From: Edward Rudd <eddie@omegaware.com>

Prev by Date: RE: Aliases status for openldap 2.1.x + back-bdb
Next by Date: Problem with openldap/pam & tls
Index(es):
- Chronological
- Thread