On 29.1.2014 3:12, Fernando de Oliveira wrote: > Em 28-01-2014 21:10, Armin K. escreveu: >> >> >> On 29.1.2014 0:33, [email protected] wrote: >>> Author: fernando >>> Date: Tue Jan 28 15:33:24 2014 >>> New Revision: 12643 >>> >>> Log: >>> Updates to sendmail.8.14.8 and openldap-2.4.39. >>> >>> Modified: >>> trunk/BOOK/general.ent >>> trunk/BOOK/introduction/welcome/changelog.xml >>> trunk/BOOK/server/mail/sendmail.xml >>> trunk/BOOK/server/other/openldap.xml >>> > > >>> >>> -chown -R ldap:ldap /var/lib/openldap && >>> +chown -v -R ldap:ldap /var/lib/openldap && >>> +chmod -v 0644 /var/lib/openldap/DB_CONFIG.example && >>> +chmod -v 0644 /etc/openldap/{ldap.{conf,ldif},DB_CONFIG.example} && >>> >> >> If it was server config file, this would rather be unsecure. But you >> still didn't chmod nor chown slapd.conf and slapd.ldif. Anyways, >> *anything* in /var/lib/openldap should *not* be either readable or >> writable by anyone than the ldap daemon itself. >> > > Thanks. It was a mistake. > > I wanted to follow more closely your suggestions, but I had to research, > because you failed to reply to my comment in the ticket. So I am doing > what Ubuntu and Debian do. > > Fixed at revision 12644. > > >
Partially fixed. I am still pointing out that having slapd configuration files and ldap databases in /var/lib/openldap readable by anyone is a SECURITY ISSUE. Especially since a file stores admin password in the PLAIN TEXT. That's why mode 640 and root:ldap ownership was used. root owner, so only root could modify the file and ldap group so the group which owns slapd daemon could read but not modify the file in case of security breach. -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
