[Date Prev][Date Next] [Chronological] [Thread] [Top]

chroot'd operation, userid

To: OpenLDAP Devel <openldap-devel@openldap.org>
Subject: chroot'd operation, userid
From: Howard Chu <hyc@symas.com>
Date: Thu, 26 Oct 2006 13:32:56 -0700
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060911 Netscape/7.2 (ax) Firefox/1.5 SeaMonkey/1.5a

I was reviewing the discussion of ITS#4719 and thinking about some of the options. We could add a setuser/setgroup config directive for the tools to use. It might be confusing since these directives would not replace the need for slapd's -u and -g commandline options.

Along those lines, how does anyone use slapd with the -r option? Since no corresponding option exists for the tools, and presumably the pathnames in slapd.conf are absolute paths, I guess you would need an alternate config for running the tools outside the chroot jail, with the full paths to the jailed directories. Seems rather messy.

I would expect the more common scenario is to just run slapd using a userID that doesn't have write privileges outside its database directories, and not worry about a chroot jail.

We've talked about this in the past - why don't we restructure things so that the user and group are read from the config, along with the listeners? I.e., defer dropping root privs until after the config has been read.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

Follow-Ups:
- Re: chroot'd operation, userid
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: OpenLdap & Oracle/XE and threadless stub patch
Next by Date: manpages in HEAD
Index(es):
- Chronological
- Thread