Reviewed by Nathan (Thanks!)

NSS 3.11 introduces a new library (libfreebl3.so) that is loaded as part of NSS initialization.  With Fedora DS 1.0, we moved NSS initialization to occur after the setuid from root to the runtime uid so that the files created during NSS init would have the correct ownership.  However, the bin/slapd/server directory is set to 0700 meaning no execute permission for the runtime uid.  The OS requires this directory to be 711 to allow the slapd process to load in the shared libraries needed by NSS.  We use 711 to disallow reading in this directory because if slapd crashes shortly after startup, a core file may go in this directory which may contain secret information.

1 files changed, 6 insertions, 3 deletions

diff --git a/ldap/cm/Makefile b/ldap/cm/Makefile
index f4da6be3..c849561b 100644
--- a/ldap/cm/Makefile
+++ b/ldap/cm/Makefile
@@ -581,9 +581,12 @@ ifdef BUILD_RPM
 endif # BUILD_RPM
 
 	find $(RELDIR) -exec chmod go-w {} \;
-# $(RELDIR)/bin/slapd/server may host a core file.
-# For security reason, it's readable only by the owner
-	chmod 700 $(RELDIR)/bin/slapd/server
+# $(RELDIR)/bin/slapd/server may host a core file if the server crashes
+# shortly after startup (otherwise, cores go in slapd-instance/logs)
+# For security reasons, it's readable only by the owner
+# but it needs to be executable (11) so that it can
+# load in shared libs from slapd/lib after the setuid
+	chmod 711 $(RELDIR)/bin/slapd/server
 
 $(INSTDIR)/slapd:
 	$(MKDIR) -p $@