FS#57457 - [nss-pam-ldapd] Root writing to a dir owned by a user

Attached to Project: Community Packages
Opened by Doug Newgard (Scimmia) - Saturday, 10 February 2018, 07:33 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 14 February 2018, 00:28 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Johannes Löthberg (demize)
Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


The tmpfiles entry in this package creates /run/nslcd/ as owned by nslcd:nslcd, but then the service files run the daemons as root, causing the PID files to be written as root to a dir owned by a user. This is a security risk and systemd has disabled this in the current version, but relaxed them a bit as too many daemons do the wrong thing here. See https://github.com/systemd/systemd/issues/8085

The service files should either be run as the user or the dir should be owned by root:root.
This task depends upon

Closed by  Doug Newgard (Scimmia)
Wednesday, 14 February 2018, 00:28 GMT
Reason for closing:  Fixed
Additional comments about closing:  nss-pam-ldapd 0.9.8-3
Comment by Johannes Löthberg (demize) - Saturday, 10 February 2018, 12:16 GMT
Well, it was rebuilt with --nofork before you filed this, so it's not a problem anymore. Not sure why the systemd service isn't already just starting it as the nslcd user though.
Comment by Doug Newgard (Scimmia) - Saturday, 10 February 2018, 15:52 GMT
You're right, I missed the rebuild. I was just going by the issue people were having on the forums.

To start the daemon as a user, you'd need User=nslcd in the .service file. Even if the daemon itself drops privileges, it does it too late for pid file creation.

Edit: Thinking about it, your solution of --nofork is probably the better choice anyway, there's no reason to fork the daemon into the background in a .service file.