FS#30611 - [openldap] Install /run/openldap with 0755

Attached to Project: Arch Linux
Opened by Jochen Keil (jrk) - Monday, 09 July 2012, 10:07 GMT
Last edited by Eric Belanger (Snowman) - Monday, 10 June 2013, 19:30 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Eric Belanger (Snowman)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Description:

In /usr/lib/tmpfiles.d/slapd.conf the permission for /run/openldap is set to 0750.
I see no reason in that, it should be set to 0755 since the only files residing there are pid, args and the socket.

If the permission is set to 0750 local daemons cannot access the socket.

Additional info:
* package version(s)
openldap 2.4.31-4

Steps to reproduce:
cat /usr/lib/tmpfiles.d/slapd.conf
This task depends upon

Closed by  Eric Belanger (Snowman)
Monday, 10 June 2013, 19:30 GMT
Reason for closing:  Fixed
Additional comments about closing:  in svn trunk
Comment by Dave Reisner (falconindy) - Tuesday, 10 July 2012, 00:59 GMT
Could you clarify on what you mean by local daemons? Are you expecting that other services wanting to talk to slapd are able to talk to slapd over its unix domain socket?
Comment by Jochen Keil (jrk) - Tuesday, 10 July 2012, 06:21 GMT
Exactly. Part of my slapd access control list reads:

olcAccess: {3}to dn.subtree="ou=groups,dc=example,dc=com" by sockurl="ldapi:///" read by * none break

I use this for example for nslcd.conf and in postfix. I think that's a nice why to do especially with something like

olcAccess: {4}to * by self write by dn="cn=admin,dc=ch" write by dn.base="gidN
umber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by anonymous auth
by users read by * none

which allows me as root to use the socket with "-Y EXTERNAL" for modifications.
Comment by Jan de Groot (JGC) - Tuesday, 10 July 2012, 06:59 GMT
Unix domain sockets are a lot faster than using a TCP socket on localhost, so if possible, daemons should just use the domain socket. The socket itself has permissions set by the slapd daemon, so that's a configuration up to the user.
Comment by Dave Reisner (falconindy) - Tuesday, 10 July 2012, 12:37 GMT
Yep, this all makes sense.
Comment by Mantas Mikulėnas (grawity) - Monday, 10 June 2013, 09:16 GMT
  • Field changed: Percent Complete (100% → 0%)
JGC's comment is incorrect – slapd does not have any place to configure this; it always creates the socket with 0777 permissions. The only configuration is Arch's tmpfiles.d. Therefore it is a packaging issue.
Comment by Jan de Groot (JGC) - Monday, 10 June 2013, 09:17 GMT
Fun, OpenLDAP developers decided to throw away the code that sets the permissions using something like ldapi:///???x-mod=777.
Comment by Mantas Mikulėnas (grawity) - Monday, 10 June 2013, 16:49 GMT
Ah, after rereading the manpage, it seems that the x-mod option is still there; I didn't know about it before (only searched the entire slapd-config) and did not notice. Sorry.

...regardless, if the slapd setting exists, then I think the slapd setting should be used for this, and since the default is 0777 (to let all programs use it), IMO Arch's tmpfiles.d should have 0777 as well.

Loading...