On 29.1.2014 3:12, Fernando de Oliveira wrote:
> Em 28-01-2014 21:10, Armin K. escreveu:
>>
>>
>> On 29.1.2014 0:33, ferna...@higgs.linuxfromscratch.org wrote:
>>> Author: fernando
>>> Date: Tue Jan 28 15:33:24 2014
>>> New Revision: 12643
>>>
>>> Log:
>>> Updates to sendmail.8.14.8 and openldap-2.4.39.
>>>
>>> Modified:
>>> trunk/BOOK/general.ent
>>> trunk/BOOK/introduction/welcome/changelog.xml
>>> trunk/BOOK/server/mail/sendmail.xml
>>> trunk/BOOK/server/other/openldap.xml
>>>
>
>
>>>
>>> -chown -R ldap:ldap /var/lib/openldap &&
>>> +chown -v -R ldap:ldap /var/lib/openldap &&
>>> +chmod -v 0644 /var/lib/openldap/DB_CONFIG.example &&
>>> +chmod -v 0644 /etc/openldap/{ldap.{conf,ldif},DB_CONFIG.example} &&
>>>
>>
>> If it was server config file, this would rather be unsecure. But you
>> still didn't chmod nor chown slapd.conf and slapd.ldif. Anyways,
>> *anything* in /var/lib/openldap should *not* be either readable or
>> writable by anyone than the ldap daemon itself.
>>
>
> Thanks. It was a mistake.
>
> I wanted to follow more closely your suggestions, but I had to research,
> because you failed to reply to my comment in the ticket. So I am doing
> what Ubuntu and Debian do.
>
> Fixed at revision 12644.
>
>
>
Partially fixed. I am still pointing out that having slapd configuration
files and ldap databases in /var/lib/openldap readable by anyone is a
SECURITY ISSUE. Especially since a file stores admin password in the
PLAIN TEXT. That's why mode 640 and root:ldap ownership was used. root
owner, so only root could modify the file and ldap group so the group
which owns slapd daemon could read but not modify the file in case of
security breach.
--
http://linuxfromscratch.org/mailman/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
