[blfs-book] [BLFS Trac] #4619: openldap-2.4.39

BLFS Trac trac at linuxfromscratch.org
Wed Jan 29 08:54:14 PST 2014


#4619: openldap-2.4.39
-------------------------+----------------------
 Reporter:  fo           |       Owner:  fo
     Type:  enhancement  |      Status:  closed
 Priority:  normal       |   Milestone:  current
Component:  BOOK         |     Version:  SVN
 Severity:  normal       |  Resolution:  fixed
 Keywords:               |
-------------------------+----------------------

Comment (by Krejzi):

 I can't explain better than I tried in the mail, but here's again

 By default, ldap server (slapd) is running as root unless you specify the
 -u and -g switches, which blfs bootscript does.

 So, instead of running the daemon as root user, blfs runs it as a
 unprivileged, ldap user - for security (as as side note, running some
 network daemons as root might be unsecure).

 But then again, openldap package installs slapd configuration files with
 mode 600, which means it's only readable and writable by root user, which
 is also the owner of the file.

 Saying that, slapd daemon which runs as ldap user and group can't read the
 file and thus it fails on startup.

 The "whatever distro I borrowed the chown's and chmod's from (doesn't mean
 it's Debian/Ubuntu)" makes the members of ldap group read the file, but
 only the owner (still root) modify the file. That's where chmod 640 and
 chown root:ldap comes into question.

 Only root can modify the file, but member of the ldap group (which is the
 ldap user) can only read the file, so in case of security breach through
 the slapd daemon (it could happen, but doesn't mean it will) the file
 can't be modified by ldap user, which the daemon runs as, but only as
 root. That also means that anyone who manages to log in as the
 unprivileged user can't change slapd administrator password which is
 stored in the (not 100% sure) plaintext in the slapd configuration file.

 Again, increased security measure. chowning slapd configuration file to
 ldap user, without any chmod would also work fine, but then again you
 don't take the security into account.

-- 
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/4619#comment:20>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch



More information about the blfs-book mailing list