Ubuntu

slapd creates run directory with root permissions

Asked by Andy Rabagliati

In /etc/init.d/slapd, this is needed (extra chown + chgrp)

if [ ! -d /var/run/slapd ]; then
        mkdir /var/run/slapd
        chown ${SLAPD_USER:-root} /var/run/slapd
        chgrp ${SLAPD_GROUP:-root} /var/run/slapd
fi

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
Ralph Janke
Solved:
Last query:
Last reply:
Revision history for this message
Ralph Janke (txwikinger) said : 		#1

This is done that only root can stop or restart your slap daemon.

Revision history for this message
Andy Rabagliati (andyr) said : 		#2

If slapd cannot write its pid to /var/run/slapd/slapd.pid, (because SLAPD_USER is ldap, say) then not even root can use "/etc/init.d/slapd restart" - root has to use killall instead.

If the directory permissions were set to 0600, owned by $SLAPD_USER, then both of us would be happy, no ?

Revision history for this message
Ralph Janke (txwikinger) said : 		#3

slapd.pid is not created by slapd, but by the start-stop-daemon that is run as root.

Revision history for this message
Ralph Janke (txwikinger) said : 		#4

If you run slapd as ldap, then the environment variable SLAPD_USER must be set to ldap. Subsequently the expression ${SLAPD_USER:-root} returns ldap not root. It returns root if SLAPD_USER is not set.

Therefore the directory is actually owned by ldap not by root, and everything works the way you want it to, as I understand it.

Revision history for this message
Ralph Janke (txwikinger) said : 		#5

Please ignore the message before the last one, it was posted in error.

Revision history for this message
Andy Rabagliati (andyr) said : 		#6

Re message of 2007-02-09 14:11:53, great, and was my first suggestion. The chown/chgrp is not currently in the startup script, and is my proposed addition.

Revision history for this message
Best Ralph Janke (txwikinger) said : 		#7

I have created a bug for it. Just a note. I would put the statements changing the permissions after the 'fi' in order to change it also if the directory already exists.

Revision history for this message
Andy Rabagliati (andyr) said : 		#8

User confirmed that the request is solved.