[Pkg-openldap-devel] Re: (ITS#4750) libldap initialization of
~/.ldaprc and setuid
Howard Chu
hyc at symas.com
Wed Nov 15 08:25:59 CET 2006
Russ Allbery wrote:
> I assume from the ldap.conf documentation that if tls_cacertfile is set,
> tls_cacertdir is irrelevant? Or are both explored for a root cert to
> validate the remote server?
Both will get used.
> I think that if both the NSS and PAM modules deal with those variables,
> that removes most of my concern. I'd still feel generally better with a
> safety net in the library for setuid processes on the principle of defense
> in depth and because safely using the LDAP library in such a situation
> requires thinking more about configuration initialization than I think
> some users may realize, but I'll freely admit that my concern at that
> point is theoretical.
I'm not totally convinced yet, will think about it. The patch would have
to be #ifdef'd (HAVE_GETEUID or something) since it would not be
relevant on Windows and some other obscure platforms.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
More information about the Pkg-openldap-devel
mailing list