[Pkg-openldap-devel] Upgrading and changing permissions.
Matthijs Mohlmann
matthijs at cacholong.nl
Thu Jun 8 05:26:05 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Steve Langasek wrote:
> On Wed, Jun 07, 2006 at 10:18:25PM +0200, Matthijs Mohlmann wrote:
>
>> Steve Langasek wrote:
>>> On Sun, Jun 04, 2006 at 03:47:54PM +0200, Matthijs Mohlmann wrote:
>>>> - - Upgrade path (From sarge to etch / sid)
>>>> When someone wants to upgrade from Sarge to sid and update the
>>>> /etc/default/slapd so that the user is changed to openldap. Shall we in
>>>> the slapd postinst script update the permissions of every file /
>>>> directory in /etc/ldap except for ldap.conf because that one belongs to
>>>> libldap2 ?
>
>>> Why would you change the permissions of *any* of these files? The slapd
>>> user shouldn't have write access to them.
>
>> The user / admin can have passwords in the slapd.conf configuration. See
>> the rootdn and rootpw parameter. That's why I think it's needed to
>> change the permissions. Eventually we can change it to root:openldap and
>> 0640 so that the openldap user only has read permissions.
>
>> The included files from slapd.conf can probably also have passwords.
>> (with multiple directories specified in multiple files)
>
> Right, but slapd needs to be root when it initally binds to the privileged
> LDAP ports... which I would expect it does /after/ reading its config... so
> there shouldn't be any reason for the user slapd /runs/ as to have read
> access to these files. Am I wrong?
>
slapd reads its config after it dropped the privileges. I saw that after
I tested it with the configuration on 0600 and owned by root. Maybe
write a patch that it first reads its configuration and after that drops
the privileges (then we don't need to adjust permissions in /etc/ldap/)
Regards,
Matthijs Mohlmann
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEh7Tt2n1ROIkXqbARAs64AJ9zazGo3wxY7leZ5JChQXfvepW5jQCgicQs
LPaVY8nWAzTZAYM+NipfMU8=
=uDon
-----END PGP SIGNATURE-----
More information about the Pkg-openldap-devel
mailing list