ian@uns.ns.ac.yu wrote:
Linux, as opposed to other *NIXes, honors PF_LOCAL socket file mode bits, so a user must have the write permission to use the socket. OpenLDAP bind()s its PF_LOCAL sockets without any special arrangements, so the resulting socket's permissions are governed by the current umask. Since the umask is usually 022 or 002, the socket ends up not being world-writable, making it unusable for users other than root.
Earlier OpenLDAP releases recognized a non-standard "x-mod" URL extension for manipulating socket permissions, and the parsing code is still there, but its results are unused.
Yes, that's been removed because non-portable and of little use. The preferred use consists in creating the socket according to umask in a directory with the desired permissions. Right now, those permissions are used to coarse grain regulate operations on a specific listener; considering their limited usefulness, their use is not recommended as that extension could be removed. It's considered experimental.
With the attached patch, PF_LOCAL sockets are always created world-writable by setting the umask to zero before bind(). The previous umask is restored immediately afterwards. Umask manipulation shouldn't affect PF_UNIX bind()s, so I haven't surrounded it with #ifdef LDAP_PF_LOCAL.
Your approach seems to be sound. I'll review the patch.
Thanks, p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------