Well, well. Forgive me for saying that now you're beeing a little narrow minded. If programs that belong to software like openldap (such as slapadd) do 'setuid()' themselves then end users (and administrators): - Need to remember (or know) less things; - Need to type less; - Have fewer chances to break the working state of stuff, which in turn spares people time (Google'ing, Bug reports, your response, etc.)
Not that I'm saying that life is easy, but shouldn't we try to bring ease to life if we can? From this K.I.S.S. point-of-view is wildly guessed that slapadd not setuid'ing was a bug. If you wish to prevent future events for other users, you should consider this a bug.
I won't bother you again. I'll just 'chown openlpad:openldap /usr/sbin/slapadd' and then 'chmod a+s /usr/sbin/slapadd' as it should be more than enough to avoid future events for me.
Thank your time and promptly reply. I don't know if you get payd for doing this stuff, but you should. Starting in November Google for 'science ,not fiction'.
Thanks again.
Pedro RA
Pierangelo Masarati escreveu:
pedrorandrade@gmail.com wrote:
One workaround is issuing 'sudo -u openldap slapadd ...' to avoid chown'ing afterwards.
What you call a workaround is actually The Right Thing (TM). There is no way to setuid() tools simply because there's no need to, as they can be run with the right identity. The only reason slapd can be setuid() is that it needs to start as root in order to bind to port 389, and **then** setuid() before doing anything else. Running programs as the correct user is normal UNIX administration - or should OpenLDAP also document ls, rm, ...?
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it
-
pedrorandradeļ¼ gmail.com