(ITS#4482) /etc/init.d/ldap creates a script in /tmp which won't work if /tmp is mounted with noexec option

[sam@bnt.ca]

Full_Name: Sam Azer
Version: openldap-2.3.19-4
OS: Fedora Core 5
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (24.202.86.13)


Description of problem:

/etc/init.d/ldap creates a script in /tmp. It's not a particularly necessary
script, ie: running service ldap restart produces the following script:

   File: /tmp/start-slapd.f31856
Content: exec /usr/sbin/slapd -h "ldap:///"; -u ldap

This works fine for a standard linux install, but when /etc/fstab is modified
to
block execution of scripts in /tmp as a security precaution, the
/etc/init.d/ldap script fails.

Version-Release number of selected component (if applicable):

openldap-2.3.19-4

How reproducible:

always on systems with /tmp mounted as a separate partition, with noexec/nosuid
option in fstab.

Steps to Reproduce:

1. In /etc/fstab, change the /tmp line to include the noexec/nosuid options,
like this:

/dev/vg1/lv0 /tmp ext3 rw,noexec,nosuid  1 2

2. Next, remount the partition:

mount -o remount /tmp

3. Next, try to restart the openLDAP service:

service ldap restart

Actual results:

"Permission Denied," OpenLDAP fails to start

Expected results:

OpenLDAP should restart normally

One possible solution to the specific issue in the ldap script is to move the
script from /tmp to /var/tmp. Specifically, in the /etc/init.d/ldap file on
line
147, which currently reads:

        wrapper=`mktemp ${TMP:-/tmp}/start-slapd.XXXXXX`

We can change the name of the directory to /var/tmp as follows:

        wrapper=`mktemp ${TMP:-/var/tmp}/start-slapd.XXXXXX`

This solves the problem for /etc/init.d/ldap; it is now able to function
correctly in an environment where no scripts are allowed to execute in /tmp.