2:33 p.m.
Hello LDAP users and maintainers,
libraries/libldap/init.c has this code which bypasses read all LDAP
config env vars when the exe loadlig libldap is running in setuid mode.
This is causing problems for one of our customers who routinely run our
product Linux executables (which load our libldap) in setuid mode for
legitimate purposes.
Since we have the source, we can and may change this code.
In our case, customer wants to set env var LDAPCONF to point at a
non-default conf file but is unable to do so. In fact this code bypasses
almost all ways an alternate config file can be read.
Even $HOME/ldap.conf is not read.
My question here is should this code be considered a bug and changed to
be less restrictive? I fully appreciate there should be restrictions
when in setuid mode but the current code seems too restrictive.
init.c:
686
687 openldap_ldap_init_w_sysconf(LDAP_CONF_FILE);
688
689 #ifdef HAVE_GETEUID
690 if ( geteuid() != getuid() )
691 goto done;
692 #endif
693
694 openldap_ldap_init_w_userconf(LDAP_USERRC_FILE);
695
Norm Green
GemTalk Systems LLC
4:14 p.m.
Norm Green wrote:
Hello LDAP users and maintainers,
libraries/libldap/init.c has this code which bypasses read all LDAP config env vars when
the exe loadlig libldap is running in setuid mode.
This is causing problems for one of our customers who routinely run our product Linux
executables (which load our libldap) in setuid mode for legitimate purposes.
Since we have the source, we can and may change this code.
In our case, customer wants to set env var LDAPCONF to point at a non-default conf file
but is unable to do so. In fact this code bypasses almost all ways an
alternate config file can be read.
Even $HOME/ldap.conf is not read.
My question here is should this code be considered a bug and changed to be less
restrictive?
No. Read the commit history.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11:17 p.m.
New subject: Antw: [EXT] Config files & env vars not read when geteuid() != getuid()
>> Norm Green <norm.green(a)gemtalksystems.com> schrieb am
15.04.2021 um 23:33 in
Nachricht
<edc569ad-5307-4361-8a85-f4e71b820bb5(a)gemtalksystems.com>:
Hello LDAP users and maintainers,
libraries/libldap/init.c has this code which bypasses read all LDAP
config env vars when the exe loadlig libldap is running in setuid mode.
This is causing problems for one of our customers who routinely run our
product Linux executables (which load our libldap) in setuid mode for
legitimate purposes.
Since we have the source, we can and may change this code.
In our case, customer wants to set env var LDAPCONF to point at a
non-default conf file but is unable to do so. In fact this code bypasses
almost all ways an alternate config file can be read.
I wonder what the use case is.
Even $HOME/ldap.conf is not read.
My question here is should this code be considered a bug and changed to
be less restrictive? I fully appreciate there should be restrictions
when in setuid mode but the current code seems too restrictive.
init.c:
686
687 openldap_ldap_init_w_sysconf(LDAP_CONF_FILE);
688
689 #ifdef HAVE_GETEUID
690 if ( geteuid() != getuid() )
691 goto done;
692 #endif
693
694 openldap_ldap_init_w_userconf(LDAP_USERRC_FILE);
695
Norm Green
GemTalk Systems LLC
782
days inactive
786
days old
openldap-technical@openldap.org
2 comments
3 participants
participants (3)
-
Howard Chu -
Norm Green -
Ulrich Windl