[blfs-book] [BLFS Trac] #4619: openldap-2.4.39
trac at linuxfromscratch.org
Wed Jan 29 08:40:59 PST 2014
Reporter: fo | Owner: fo
Type: enhancement | Status: reopened
Priority: normal | Milestone: current
Component: BOOK | Version: SVN
Severity: normal | Resolution:
Comment (by fo):
Em 29-01-2014 01:41, Armin K. escreveu:>
> On 29.1.2014 3:12, Fernando de Oliveira wrote:
>> Em 28-01-2014 21:10, Armin K. escreveu:
>>> On 29.1.2014 0:33, Fernando de Oliveira wrote:
>>>> Author: fernando
>>>> Date: Tue Jan 28 15:33:24 2014
>>>> New Revision: 12643
>>>> Updates to sendmail.8.14.8 and openldap-2.4.39.
>>> If it was server config file, this would rather be unsecure. But you
>>> still didn't chmod nor chown slapd.conf and slapd.ldif. Anyways,
>>> *anything* in /var/lib/openldap should *not* be either readable or
>>> writable by anyone than the ldap daemon itself.
>> Thanks. It was a mistake.
>> I wanted to follow more closely your suggestions, but I had to
>> because you failed to reply to my comment in the ticket. So I am doing
>> what Ubuntu and Debian do.
>> Fixed at revision 12644.
> Partially fixed. I am still pointing out that having slapd configuration
> files and ldap databases in /var/lib/openldap readable by anyone is a
> SECURITY ISSUE. Especially since a file stores admin password in the
> PLAIN TEXT. That's why mode 640 and root:ldap ownership was used. root
> owner, so only root could modify the file and ldap group so the group
> which owns slapd daemon could read but not modify the file in case of
> security breach.
I still cannot understand why Ubuntu and Debian do differently.
Thanks for the explanation that you did not want to give before.
Hope that now you will be pleased. If not, please write, and we will try
Fixed at r12645.
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/4619#comment:18>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
More information about the blfs-book