[Pkg-openldap-devel] r938 - openldap/trunk/debian

[Russ Allbery]

Author: rra
Date: 2007-12-21 07:29:45 +0000 (Fri, 21 Dec 2007)
New Revision: 938

Modified:
   openldap/trunk/debian/changelog
   openldap/trunk/debian/slapd.postinst
   openldap/trunk/debian/slapd.scripts-common
Log:
* Create /etc/ldap/slapd.conf owned by the openldap group and mode 640
  by default so that slapindex and friends can read it when run as the
  openldap user. Fix permissions on upgrade if slapd.conf is owned by
  root and mode 600. Closes: #432662

Modified: openldap/trunk/debian/changelog
===================================================================
--- openldap/trunk/debian/changelog	2007-12-21 07:11:58 UTC (rev 937)
+++ openldap/trunk/debian/changelog	2007-12-21 07:29:45 UTC (rev 938)
@@ -53,6 +53,10 @@
     to statically link a dynamically-loaded slapi plugin.
 
   [ Russ Allbery ]
+  * Create /etc/ldap/slapd.conf owned by the openldap group and mode 640
+    by default so that slapindex and friends can read it when run as the
+    openldap user. Fix permissions on upgrade if slapd.conf is owned by
+    root and mode 600. Closes: #432662
   * If SLAPD_CONF is set to a directory in /etc/default/slapd, assume
     the cn=config backend is used and start slapd with the appropriate
     options.  Based on a patch from Mike Burr.  Closes: #411413.

Modified: openldap/trunk/debian/slapd.postinst
===================================================================
--- openldap/trunk/debian/slapd.postinst	2007-12-21 07:11:58 UTC (rev 937)
+++ openldap/trunk/debian/slapd.postinst	2007-12-21 07:29:45 UTC (rev 938)
@@ -59,6 +59,10 @@
 	# Update permissions of all database directories and /var/run/slapd
 	update_databases_permissions
 	update_permissions /var/run/slapd
+
+	# Versions prior to 2.4.7-1 could create a slapd.conf that wasn't
+	# readable by the openldap user.
+	update_slapd_conf_permissions
 }
 
 # }}}

Modified: openldap/trunk/debian/slapd.scripts-common
===================================================================
--- openldap/trunk/debian/slapd.scripts-common	2007-12-21 07:11:58 UTC (rev 937)
+++ openldap/trunk/debian/slapd.scripts-common	2007-12-21 07:29:45 UTC (rev 938)
@@ -138,7 +138,19 @@
 	done
 }
 # }}}
+update_slapd_conf_permissions() {	# {{{
+	if [ -n "$SLAPD_USER" ] && [ -n "$SLAPD_GROUP" ] ; then
+		if perl -e '
+			($o, $m) = (stat $ARGV[0])[4,2];
+			exit 1 if ($o == 0 && ($m & 040) == 0);
+		' "$SLAPD_CONF"; then
+			chgrp "$SLAPD_GROUP" "$SLAPD_CONF"
+			chmod g+r "$SLAPD_CONF"
+		fi
+	fi
+}
 # }}}
+# }}}
 # ----- Dumping and loading the data ------------------------------------ {{{
 
 automatic_ldif_fixing_wanted_for() {					# {{{ 
@@ -801,15 +813,18 @@
 	local conf_new
 	conf_new="$1"
 
-  # On install and remove we don't have to backup the configuration file. Only
-  # on upgrade.
-  if [ "$MODE" = "upgrade" ]; then
-    backup_config_once
-  fi
+	# On install and remove we don't have to backup the configuration
+	# file. Only on upgrade.
+	if [ "$MODE" = "upgrade" ]; then
+		backup_config_once
+	fi
 
 	# Make sure we keep the permissions of an old slapd.conf
 	if [ -e "$SLAPD_CONF" ]; then
 		assign_permissions "$SLAPD_CONF" "$conf_new"
+	elif [ -n "$SLAPD_GROUP" ] ; then
+		chgrp "$SLAPD_GROUP" "$conf_new"
+		chmod 640 "$conf_new"
 	fi
 	mv "$conf_new" "$SLAPD_CONF"
 }