Re: (ITS#4719) Support for running slapadd/slapindex as a user
by bgmilne@staff.telkomsa.net
--nextPart6645744.gz20WZ6vTg
Content-Type: text/plain;
charset="iso-8859-6"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Tuesday 24 October 2006 21:00, quanah(a)stanford.edu wrote:
> --On Tuesday, October 24, 2006 6:52 PM +0000 Kurt(a)OpenLDAP.org wrote:
> > At 11:48 AM 10/24/2006, ando(a)sys-net.it wrote:
> >> quanah(a)stanford.edu wrote:
> >>> It would be nice if you could pass -u and -g options to run as another
> >>> user/group so that on systems where OpenLDAP is running as another us=
er
> >>> or group, the files created by slapadd & slapindex have the correct
> >>> ownerships (rather than root, for example).
> >>
> >> OK for slapadd; for slapindex and other tools, what about using
> >> user/group info from the file(s) itself?
> >
> > Why not just use su(1)? the only reason slapd(8) has -u/-g options
> > is because it changes root after some initialization.
>
> Because some people are brain dead, and because other people set up
> application accounts that don't actually have a shell.
And some brain-dead OS's have an su without a -s flag ?
> It also makes=20
> things more consistent behavior wise. I personally don't have this issue
> because I run openldap as root anyway, but I've seen list traffic about
> this on more than one occasion, and am seeing people hit it on the debian
> openldap list as well.
Debian doesn't have a brain-dead su, so 'su -s /bin/bash -c "slapadd ...."'=
=20
etc. is feasible.
One of my colleagues has a sticker on his monitor which says:
Social Engineering Specialist: because there is no patch for stupidity.
I haven't seen the need for this myself (but then I don't use back-config, =
and=20
my initscript parses slapd.conf to find all database directories, and check=
s=20
ownership on all of them).
Regards,
Buchan
=2D-=20
Buchan Milne
ISP Systems Specialist - Monitoring/Authentication Team Leader
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)
--nextPart6645744.gz20WZ6vTg
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQBFPwhOrJK6UGDSBKcRApYPAKCecAu2I8CXqMin3Uz9a1MQv8cUEgCfZFPm
TLqaOhPzhqr0KV8Y0W7fNR4=
=93Bl
-----END PGP SIGNATURE-----
--nextPart6645744.gz20WZ6vTg--
16 years, 11 months
Re: (ITS#4719) Support for running slapadd/slapindex as a user
by ahasenack@terra.com.br
On Tue, Oct 24, 2006 at 12:46:30PM -0700, Quanah Gibson-Mount wrote:
> >>Because some people are brain dead, and because other people set up
> >>application accounts that don't actually have a shell. It also makes
> >>things more consistent behavior wise. I personally don't have this
> >>issue because I run openldap as root anyway, but I've seen list traffic
> >>about this on more than one occasion, and am seeing people hit it on
> >>the debian openldap list as well.
> >
> >The slapd initscript should/could chown the files whenever slapd is
> >(re)started.
>
> And how would the init script know the locations of X number of databases,
> particularly if back-config is used?
With back-config things get more complicated, but with slapd.conf it's
just a bunch of greps.
What about storing this info inside the config file itself (i.e.,
"slapd_user ldap", "slapd_group ldap")? Chicken and egg problem?
16 years, 11 months
Re: (ITS#4719) Support for running slapadd/slapindex as a user
by quanah@stanford.edu
--On Tuesday, October 24, 2006 7:16 PM +0000 ahasenack(a)terra.com.br wrote:
> On Tue, Oct 24, 2006 at 07:00:40PM +0000, quanah(a)stanford.edu wrote:
>>
>>
>> --On Tuesday, October 24, 2006 6:52 PM +0000 Kurt(a)OpenLDAP.org wrote:
>>
>> > At 11:48 AM 10/24/2006, ando(a)sys-net.it wrote:
>> >> quanah(a)stanford.edu wrote:
>> >>> It would be nice if you could pass -u and -g options to run as
>> >>> another user/group so that on systems where OpenLDAP is running as
>> >>> another user or group, the files created by slapadd & slapindex have
>> >>> the correct ownerships (rather than root, for example).
>> >>>
>> >> OK for slapadd; for slapindex and other tools, what about using
>> >> user/group info from the file(s) itself?
>> >
>> > Why not just use su(1)? the only reason slapd(8) has -u/-g options
>> > is because it changes root after some initialization.
>>
>> Because some people are brain dead, and because other people set up
>> application accounts that don't actually have a shell. It also makes
>> things more consistent behavior wise. I personally don't have this
>> issue because I run openldap as root anyway, but I've seen list traffic
>> about this on more than one occasion, and am seeing people hit it on
>> the debian openldap list as well.
>
> The slapd initscript should/could chown the files whenever slapd is
> (re)started.
And how would the init script know the locations of X number of databases,
particularly if back-config is used?
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
16 years, 11 months
Re: (ITS#4719) Support for running slapadd/slapindex as a user
by ahasenack@terra.com.br
On Tue, Oct 24, 2006 at 07:00:40PM +0000, quanah(a)stanford.edu wrote:
>
>
> --On Tuesday, October 24, 2006 6:52 PM +0000 Kurt(a)OpenLDAP.org wrote:
>
> > At 11:48 AM 10/24/2006, ando(a)sys-net.it wrote:
> >> quanah(a)stanford.edu wrote:
> >>> It would be nice if you could pass -u and -g options to run as another
> >>> user/group so that on systems where OpenLDAP is running as another user
> >>> or group, the files created by slapadd & slapindex have the correct
> >>> ownerships (rather than root, for example).
> >>>
> >> OK for slapadd; for slapindex and other tools, what about using
> >> user/group info from the file(s) itself?
> >
> > Why not just use su(1)? the only reason slapd(8) has -u/-g options
> > is because it changes root after some initialization.
>
> Because some people are brain dead, and because other people set up
> application accounts that don't actually have a shell. It also makes
> things more consistent behavior wise. I personally don't have this issue
> because I run openldap as root anyway, but I've seen list traffic about
> this on more than one occasion, and am seeing people hit it on the debian
> openldap list as well.
The slapd initscript should/could chown the files whenever slapd is
(re)started.
16 years, 11 months
Re: (ITS#4719) Support for running slapadd/slapindex as a user
by hyc@symas.com
Kurt(a)OpenLDAP.org wrote:
> At 11:48 AM 10/24/2006, ando(a)sys-net.it wrote:
>> quanah(a)stanford.edu wrote:
>>> It would be nice if you could pass -u and -g options to run as another
>>> user/group so that on systems where OpenLDAP is running as another user or
>>> group, the files created by slapadd & slapindex have the correct ownerships
>>> (rather than root, for example).
>>>
>> OK for slapadd; for slapindex and other tools, what about using
>> user/group info from the file(s) itself?
>
> Why not just use su(1)? the only reason slapd(8) has -u/-g options
> is because it changes root after some initialization.
Agreed. As for using info from the files themselves - that requires
per-backend functions to return the user/group info. Seems like
unnecessary effort.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
16 years, 11 months
Re: (ITS#4719) Support for running slapadd/slapindex as a user
by quanah@stanford.edu
--On Tuesday, October 24, 2006 6:52 PM +0000 Kurt(a)OpenLDAP.org wrote:
> At 11:48 AM 10/24/2006, ando(a)sys-net.it wrote:
>> quanah(a)stanford.edu wrote:
>>> It would be nice if you could pass -u and -g options to run as another
>>> user/group so that on systems where OpenLDAP is running as another user
>>> or group, the files created by slapadd & slapindex have the correct
>>> ownerships (rather than root, for example).
>>>
>> OK for slapadd; for slapindex and other tools, what about using
>> user/group info from the file(s) itself?
>
> Why not just use su(1)? the only reason slapd(8) has -u/-g options
> is because it changes root after some initialization.
Because some people are brain dead, and because other people set up
application accounts that don't actually have a shell. It also makes
things more consistent behavior wise. I personally don't have this issue
because I run openldap as root anyway, but I've seen list traffic about
this on more than one occasion, and am seeing people hit it on the debian
openldap list as well.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
16 years, 11 months
Re: (ITS#4719) Support for running slapadd/slapindex as a user
by ando@sys-net.it
quanah(a)stanford.edu wrote:
>> OK for slapadd; for slapindex and other tools, what about using
>> user/group info from the file(s) itself?
>>
>
> What file(s)? Assuming this is a new (and only) index? I guess the __db.*
> files? or the id2entry file? Just trying to see specifically where you are
> going on this. :)
>
I mean: if slapadding a brand new db, -u/-g (but -g is already in use by
glue stuff) is fine. If slapadding/slapindexing an existing db, get the
info from the existing file, if any, or from id2entry.bdb. I'd use a
specific option, though, and bail out if no definite answer can be
gathered (e.g. -H means use ownership from file, -HH use ownership from
file, or from id2entry.bdb if file does not exist). Note that it would
make sense to have the -HH behavior as the default...
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati(a)sys-net.it
------------------------------------------
16 years, 11 months
Re: (ITS#4719) Support for running slapadd/slapindex as a user
by Kurt@OpenLDAP.org
At 11:48 AM 10/24/2006, ando(a)sys-net.it wrote:
>quanah(a)stanford.edu wrote:
>> It would be nice if you could pass -u and -g options to run as another
>> user/group so that on systems where OpenLDAP is running as another user or
>> group, the files created by slapadd & slapindex have the correct ownerships
>> (rather than root, for example).
>>
>OK for slapadd; for slapindex and other tools, what about using
>user/group info from the file(s) itself?
Why not just use su(1)? the only reason slapd(8) has -u/-g options
is because it changes root after some initialization.
16 years, 11 months
Re: (ITS#4719) Support for running slapadd/slapindex as a user
by quanah@stanford.edu
--On Tuesday, October 24, 2006 8:49 PM +0200 Pierangelo Masarati
<ando(a)sys-net.it> wrote:
> quanah(a)stanford.edu wrote:
>> It would be nice if you could pass -u and -g options to run as another
>> user/group so that on systems where OpenLDAP is running as another user
>> or group, the files created by slapadd & slapindex have the correct
>> ownerships (rather than root, for example).
>>
> OK for slapadd; for slapindex and other tools, what about using
> user/group info from the file(s) itself?
What file(s)? Assuming this is a new (and only) index? I guess the __db.*
files? or the id2entry file? Just trying to see specifically where you are
going on this. :)
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
16 years, 11 months
Re: (ITS#4719) Support for running slapadd/slapindex as a user
by ando@sys-net.it
quanah(a)stanford.edu wrote:
> It would be nice if you could pass -u and -g options to run as another
> user/group so that on systems where OpenLDAP is running as another user or
> group, the files created by slapadd & slapindex have the correct ownerships
> (rather than root, for example).
>
OK for slapadd; for slapindex and other tools, what about using
user/group info from the file(s) itself?
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati(a)sys-net.it
------------------------------------------
16 years, 11 months