From 295ea07241a48c1c55c6765e4ca51e99c10a98a9 Mon Sep 17 00:00:00 2001
From: William Brown <william@blackhats.net.au>
Date: Sep 04 2019 00:04:02 +0000
Subject: Ticket 50576 - Same proc uid/gid maps to rootdn for ldapi sasl


Bug Description: In containers the directory server process may
not start as root, and root may not even be accessible. This means
that some local administration is difficult to achieve. By allowing
the running process id to map to rootdn (directory manager), we have
the same effective security, but ease use of some cli tools.

Fix Description: Allow uid/gid to map to root dn

https://pagure.io/389-ds-base/issue/50576

Author: William Brown <william@blackhats.net.au>

Review by: mreynolds (Thanks!)

---

diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
index 9c41efb..567a9b7 100644
--- a/ldap/servers/slapd/daemon.c
+++ b/ldap/servers/slapd/daemon.c
@@ -2035,6 +2035,9 @@ slapd_bind_local_user(Connection *conn)
     uid_t uid = conn->c_local_uid;
     gid_t gid = conn->c_local_gid;
 
+    uid_t proc_uid = geteuid();
+    gid_t proc_gid = getegid();
+
     if (!conn->c_local_valid) {
         goto bail;
     }
@@ -2157,7 +2160,15 @@ slapd_bind_local_user(Connection *conn)
             slapi_ch_free_string(&base_dn);
         }
 
-        if (ret && 0 == uid) {
+        /*
+         * We map the current process uid also to directory manager.
+         * This is secure as it requires local machine OR same-container volume
+         * access and the correct uid access. If you have access to the uid/gid
+         * and are on the same machine you could always just reset the rootdn hashes
+         * anyway ... so this is no reduction in security.
+         */
+
+        if (ret && (0 == uid || proc_uid == uid || proc_gid == gid)) {
             /* map unix root (uidNumber:0)? */
             char *root_dn = config_get_ldapi_root_dn();