Norm Green norm.green@gemtalksystems.com schrieb am 15.04.2021 um 23:33 in
Nachricht edc569ad-5307-4361-8a85-f4e71b820bb5@gemtalksystems.com:
Hello LDAP users and maintainers,
libraries/libldap/init.c has this code which bypasses read all LDAP config env vars when the exe loadlig libldap is running in setuid mode.
This is causing problems for one of our customers who routinely run our product Linux executables (which load our libldap) in setuid mode for legitimate purposes. Since we have the source, we can and may change this code.
In our case, customer wants to set env var LDAPCONF to point at a non-default conf file but is unable to do so. In fact this code bypasses almost all ways an alternate config file can be read.
I wonder what the use case is.
Even $HOME/ldap.conf is not read.
My question here is should this code be considered a bug and changed to be less restrictive? I fully appreciate there should be restrictions when in setuid mode but the current code seems too restrictive.
init.c: 686 687 openldap_ldap_init_w_sysconf(LDAP_CONF_FILE); 688 689 #ifdef HAVE_GETEUID 690 if ( geteuid() != getuid() ) 691 goto done; 692 #endif 693 694 openldap_ldap_init_w_userconf(LDAP_USERRC_FILE); 695
Norm Green GemTalk Systems LLC