[Pkg-openldap-devel] Upload to fix the slurpd spool directory or ?
Steve Langasek
vorlon at debian.org
Wed May 24 22:19:05 UTC 2006
On Thu, May 25, 2006 at 12:02:25AM +0200, Matthijs Mohlmann wrote:
> It's I think a pretty important bug to have fixed in the archive. (the
> slurpd in the right directory) Do you think this will be important
> enough for an upload ?
Yes.
> Ok, next thing on the schedule.
> slapd runs as root and IMO it is better to run it as user. (from
> security point of view) The things that needs to be changed to
> effectively run as an unprivileged user:
>
> - - Create a user in the preinst script (username ldap?)
Why do you need it to be created in the preinst instead of in the postinst?
I would also go with 'openldap' rather than 'ldap', FWIW.
> - - Purge user in postrm script (when the package is purged)
There is disagreement about whether this should be done; in any case, make
sure you do this opportunistically based on the presence of the
userdel/deluser command...
> And now the question:
> Do we need to fix the permissions in the postinst or in the init.d
> script ? IMO in the init.d script so we can check everytime if the
> permissions are ok (that will also prevent startup failures)
Given that the trend is toward *creating* var/run subdirs in the init.d
script if not present, you would want to set permissions there as well. But
for permissions on /var/lib/ldap or the like, I think this should really be
left to the admin if they change permissions after the package was
installed.
Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon at debian.org http://www.debian.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20060524/eacb7e18/attachment.pgp
More information about the Pkg-openldap-devel
mailing list