[Pkg-openldap-devel] Upload to fix the slurpd spool directory or ?

Thu May 25 20:37:00 UTC 2006

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Torsten Landschoff wrote:
> Hi Matthijs, 
> 
> On Thu, May 25, 2006 at 12:02:25AM +0200, Matthijs Mohlmann wrote:
>  
>> It's I think a pretty important bug to have fixed in the archive. (the
>> slurpd in the right directory) Do you think this will be important
>> enough for an upload ?
> 
> Sure.
> 
ok.

>> slapd runs as root and IMO it is better to run it as user. (from
>> security point of view) The things that needs to be changed to
>> effectively run as an unprivileged user:
> 
> I am a bit disconnected from Debian stuff right now but AFAIR the next
> release will be soon. I'd defer stuff like this for after the release. 
> And, FYI: That feature was planned for long and I am actually using it 
> which almost prompted me not to upload. 
> 
> That's because I did not create a dedicated ldap account but used an
> obsolete old account called "siedler", leading to a chown to
> siedler:siedler in the slapd postinst. It took me a minute to discover 
> that I got
> 
> 	SLAPD_USER=siedler
> 	SLAPD_GROUP=siedler
> 
> in /etc/default/slapd ;-)
> 
heh ;)

Postpone it to after the release ? We have until 7 August 2006
(according to the mail from Steve Langasek on 14 Oct 2005) so I think
it's perfectly time to do it. After that date, we need to stabilize and
see that we fix every bug we can. (I hope this is a right understanding ;))

> 
> In short: Running as non-root is quite functional (apart from the need 
> to move the .args file), but auto creating a user and removing it is 
> evil IMHO, at least with the current Debian infrastructure. The last 
> time I looked there was no official way to do this and I am running into
> problems with the usual adduser method all the times which is why I 
> would like to discuss our approach further before implementing it.
> 
AFAIK, a lot of people are doing that in the postinst / preinst scripts.
For example postfix, amavisd-new, cyrus-imapd, clamav-base, etc are
creating a user in the postinst.

Proposed implementation:
if [ -z "`getent group openldap`" ]; then
  addgroup --quiet --system openldap
fi
if [ -z "`getent passwd openldap`" ]; then
  adduser --quiet --system --home /var/lib/ldap --shell /bin/false
- --ingroup openldap --disabled-password --disabled-login --gecos
"OpenLDAP" openldap
fi

This will create a 'system' account and their is a check if the user is
already on the system available.

On removal of the user:
deluser --system openldap > /dev/null || true

This will remove only the user openldap if that user is also a system user.

I think this is the right way to add/remove a user from the system.

> Greetings
> 
> 	Torsten
> 

Regards,

Matthijs Mohlmann

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEdhVs2n1ROIkXqbARAtnQAJ0XvOezp0b1eKi/5k6249+rZrKmHACcCyZU
uE7v1fpMLBgmgk1ki2av6+k=
=nebM
-----END PGP SIGNATURE-----