[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4750) libldap initialization of ~/.ldaprc and setuid

quanah@stanford.edu wrote:
> --On Tuesday, November 14, 2006 5:06 AM +0000 Kurt@OpenLDAP.org wrote:
>> I note that nss/pam-ldap setting NOINIT (or otherwise mucking
>> with libldap options) might break LDAP-enabled programs.  But
>> that's another matter.
>> Anyways, I think the only good fix (for this and many other
>> larger problems) is a library redesign/rewrite.
> Okay.
> I note I don't find any mention of NOINIT in the nss_ldap or pam_ldap 
> source, maybe it was removed at some point?  I'm looking at the latest code 
> from PADL.
> Unless you mean patching nss_ldap/pam_ldap to set "LDAPNOINIT" in the 
> environment?  Which has other problems.

For the specific case of nss/pam_ldap the obvious solution is to require 
that they never use default values anywhere. Generally that is already 
what happens anyway.

   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   OpenLDAP Core Team            http://www.openldap.org/project/