[Pkg-openldap-devel] Upgrading and changing permissions.

Steve Langasek vorlon at debian.org
Thu Jun 8 04:36:02 UTC 2006


On Wed, Jun 07, 2006 at 10:18:25PM +0200, Matthijs Mohlmann wrote:

> Steve Langasek wrote:
> > On Sun, Jun 04, 2006 at 03:47:54PM +0200, Matthijs Mohlmann wrote:
> >> - - Upgrade path (From sarge to etch / sid)
> >> When someone wants to upgrade from Sarge to sid and update the
> >> /etc/default/slapd so that the user is changed to openldap. Shall we in
> >> the slapd postinst script update the permissions of every file /
> >> directory in /etc/ldap except for ldap.conf because that one belongs to
> >> libldap2 ?

> > Why would you change the permissions of *any* of these files?  The slapd
> > user shouldn't have write access to them.

> The user / admin can have passwords in the slapd.conf configuration. See
> the rootdn and rootpw parameter. That's why I think it's needed to
> change the permissions. Eventually we can change it to root:openldap and
> 0640 so that the openldap user only has read permissions.

> The included files from slapd.conf can probably also have passwords.
> (with multiple directories specified in multiple files)

Right, but slapd needs to be root when it initally binds to the privileged
LDAP ports... which I would expect it does /after/ reading its config... so
there shouldn't be any reason for the user slapd /runs/ as to have read
access to these files.  Am I wrong?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20060607/a73ed0cd/attachment.pgp


More information about the Pkg-openldap-devel mailing list