diff options
author | Rich Megginson <rmeggins@redhat.com> | 2006-02-17 16:57:19 +0000 |
---|---|---|
committer | Rich Megginson <rmeggins@redhat.com> | 2006-02-17 16:57:19 +0000 |
commit | c453431f66673f6aeed97e82aa0627d39e698a1f (patch) | |
tree | ab59d149692636f61383d54cdc48024206c3232a | |
parent | 1b7b2c95a58f0220abed1928bec962d6f4ee89e9 (diff) | |
download | ds-c453431f66673f6aeed97e82aa0627d39e698a1f.tar.gz ds-c453431f66673f6aeed97e82aa0627d39e698a1f.tar.xz ds-c453431f66673f6aeed97e82aa0627d39e698a1f.zip |
Reviewed by Nathan (Thanks!)
NSS 3.11 introduces a new library (libfreebl3.so) that is loaded as part of NSS initialization. With Fedora DS 1.0, we moved NSS initialization to occur after the setuid from root to the runtime uid so that the files created during NSS init would have the correct ownership. However, the bin/slapd/server directory is set to 0700 meaning no execute permission for the runtime uid. The OS requires this directory to be 711 to allow the slapd process to load in the shared libraries needed by NSS. We use 711 to disallow reading in this directory because if slapd crashes shortly after startup, a core file may go in this directory which may contain secret information.
-rw-r--r-- | ldap/cm/Makefile | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/ldap/cm/Makefile b/ldap/cm/Makefile index f4da6be3..c849561b 100644 --- a/ldap/cm/Makefile +++ b/ldap/cm/Makefile @@ -581,9 +581,12 @@ ifdef BUILD_RPM endif # BUILD_RPM find $(RELDIR) -exec chmod go-w {} \; -# $(RELDIR)/bin/slapd/server may host a core file. -# For security reason, it's readable only by the owner - chmod 700 $(RELDIR)/bin/slapd/server +# $(RELDIR)/bin/slapd/server may host a core file if the server crashes +# shortly after startup (otherwise, cores go in slapd-instance/logs) +# For security reasons, it's readable only by the owner +# but it needs to be executable (11) so that it can +# load in shared libs from slapd/lib after the setuid + chmod 711 $(RELDIR)/bin/slapd/server $(INSTDIR)/slapd: $(MKDIR) -p $@ |