[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: the slapd startup problem (ITS#939)
At 03:58 PM 12/27/00 +0000, Allen.Zhao@ViAlta-Inc.com wrote:
>Full_Name: Allen Zhao
>Version: openldap-2.0.7
>OS: Linux
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (204.101.36.131)
>
>
>We can start the slapd daemon at any times (Limied by the resource). And when we
>kill one slapd process, we just kill one group processes(normal three or more
>related processes). And we can run it as different users at the same time.
That's as expected.
>Maybe it's not a problem, since someone like to provide different services at
>the same time on one host. But for the security reason, I think we should take
>care of this issue.
On most operating systems, users are free to create TCP listeners
(generally on a set of "non-reserved" ports). If you don't want
your users creating TCP listeners, the solution is not application
space, but the kernel space.
>Imaging the hacker or malicious user starts the slapd with
>his own configure file to retrieve the business secret.
A slapd started by a user cannot only provide access to
information which that user has permission to read in the
first place.