[Fedora-directory-commits] ldapserver/ldap/cm Makefile,1.49,1.50

[Richard Allen Megginson (rmeggins)]

Author: rmeggins

Update of /cvs/dirsec/ldapserver/ldap/cm
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv6012

Modified Files:
	Makefile 
Log Message:
Reviewed by Nathan (Thanks!)

NSS 3.11 introduces a new library (libfreebl3.so) that is loaded as part of NSS initialization.  With Fedora DS 1.0, we moved NSS initialization to occur after the setuid from root to the runtime uid so that the files created during NSS init would have the correct ownership.  However, the bin/slapd/server directory is set to 0700 meaning no execute permission for the runtime uid.  The OS requires this directory to be 711 to allow the slapd process to load in the shared libraries needed by NSS.  We use 711 to disallow reading in this directory because if slapd crashes shortly after startup, a core file may go in this directory which may contain secret information.



Index: Makefile
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/cm/Makefile,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -r1.49 -r1.50
--- Makefile	15 Feb 2006 22:53:56 -0000	1.49
+++ Makefile	17 Feb 2006 16:57:19 -0000	1.50
@@ -581,9 +581,12 @@
 endif # BUILD_RPM
 
 	find $(RELDIR) -exec chmod go-w {} \;
-# $(RELDIR)/bin/slapd/server may host a core file.
-# For security reason, it's readable only by the owner
-	chmod 700 $(RELDIR)/bin/slapd/server
+# $(RELDIR)/bin/slapd/server may host a core file if the server crashes
+# shortly after startup (otherwise, cores go in slapd-instance/logs)
+# For security reasons, it's readable only by the owner
+# but it needs to be executable (11) so that it can
+# load in shared libs from slapd/lib after the setuid
+	chmod 711 $(RELDIR)/bin/slapd/server
 
 $(INSTDIR)/slapd:
 	$(MKDIR) -p $@