[Pkg-openldap-devel] Upload to fix the slurpd spool directory or ?
Torsten Landschoff
torsten at debian.org
Thu May 25 19:27:20 UTC 2006
Hi Matthijs,
On Thu, May 25, 2006 at 12:02:25AM +0200, Matthijs Mohlmann wrote:
> It's I think a pretty important bug to have fixed in the archive. (the
> slurpd in the right directory) Do you think this will be important
> enough for an upload ?
Sure.
> slapd runs as root and IMO it is better to run it as user. (from
> security point of view) The things that needs to be changed to
> effectively run as an unprivileged user:
I am a bit disconnected from Debian stuff right now but AFAIR the next
release will be soon. I'd defer stuff like this for after the release.
And, FYI: That feature was planned for long and I am actually using it
which almost prompted me not to upload.
That's because I did not create a dedicated ldap account but used an
obsolete old account called "siedler", leading to a chown to
siedler:siedler in the slapd postinst. It took me a minute to discover
that I got
SLAPD_USER=siedler
SLAPD_GROUP=siedler
in /etc/default/slapd ;-)
In short: Running as non-root is quite functional (apart from the need
to move the .args file), but auto creating a user and removing it is
evil IMHO, at least with the current Debian infrastructure. The last
time I looked there was no official way to do this and I am running into
problems with the usual adduser method all the times which is why I
would like to discuss our approach further before implementing it.
Greetings
Torsten
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20060525/eaa54e77/attachment.pgp
More information about the Pkg-openldap-devel
mailing list