[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4482) /etc/init.d/ldap creates a script in /tmp which won't work if /tmp is mounted with noexec option



There is no such script contained in OpenLDAP Software
(as distributed by the OpenLDAP Project), nor is there
any version (distributed by the OpenLDAP Project)
labeled 2.3.19-4.  You are likely using a 3rd party
package.  You should report this problem to the packager
(or whom ever the maintainer of this script is).

This report will be closed.

Kurt

At 12:09 PM 4/7/2006, sam@bnt.ca wrote:
>Full_Name: Sam Azer
>Version: openldap-2.3.19-4
>OS: Fedora Core 5
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (24.202.86.13)
>
>
>Description of problem:
>
>/etc/init.d/ldap creates a script in /tmp. It's not a particularly necessary
>script, ie: running service ldap restart produces the following script:
>
>   File: /tmp/start-slapd.f31856
>Content: exec /usr/sbin/slapd -h "ldap:///"; -u ldap
>
>This works fine for a standard linux install, but when /etc/fstab is modified
>to
>block execution of scripts in /tmp as a security precaution, the
>/etc/init.d/ldap script fails.
>
>Version-Release number of selected component (if applicable):
>
>openldap-2.3.19-4
>
>How reproducible:
>
>always on systems with /tmp mounted as a separate partition, with noexec/nosuid
>option in fstab.
>
>Steps to Reproduce:
>
>1. In /etc/fstab, change the /tmp line to include the noexec/nosuid options,
>like this:
>
>/dev/vg1/lv0 /tmp ext3 rw,noexec,nosuid  1 2
>
>2. Next, remount the partition:
>
>mount -o remount /tmp
>
>3. Next, try to restart the openLDAP service:
>
>service ldap restart
>
>Actual results:
>
>"Permission Denied," OpenLDAP fails to start
>
>Expected results:
>
>OpenLDAP should restart normally
>
>One possible solution to the specific issue in the ldap script is to move the
>script from /tmp to /var/tmp. Specifically, in the /etc/init.d/ldap file on
>line
>147, which currently reads:
>
>        wrapper=`mktemp ${TMP:-/tmp}/start-slapd.XXXXXX`
>
>We can change the name of the directory to /var/tmp as follows:
>
>        wrapper=`mktemp ${TMP:-/var/tmp}/start-slapd.XXXXXX`
>
>This solves the problem for /etc/init.d/ldap; it is now able to function
>correctly in an environment where no scripts are allowed to execute in /tmp.