[nssldap] nss_ldap's tls_key file permission

Andrew Morgan morgan at orst.edu
Tue May 10 16:08:35 UTC 2005

On Tue, 10 May 2005, Farkas Levente wrote:

> hi,
> if we'd like to use nss_ldap with tls certificzte files than we have to use a 
> least 644 permission even on the key file. it's not a good security concern. 
> it's better than without tls, but local user still too powerful in this 
> case:-( is there any way to prevent this? i mean to be able to change the 
> file permission to root:root 640 and use nss_ldap too? usualy in this case a 
> small portion of the progam run as setuid root, but of course in this case it 
> can't help since it's a library and the whole nss philosophy are different 
> from this. what can i do? or currently there is no solution for this?
> thanks in advance.
> yours.

If you run 'nscd', then all nss requests will be routed through nscd 
(running as root) and you may be able to use stricter permissions on the 
config file and certificate files.


More information about the fedora-selinux-list mailing list