index-files-created-as-root

Document in the man page that slapindex should be run as the same user
as slapd, and print a warning if it's run as root (since Debian defaults
to running slapd as openldap).

Not suitable for upstream in this form.  This patch needs to be reworked
to check the BerkeleyDB database ownership and only warn if running as
root with a database that's not owned by root.

Upstream ITS #5356 filed requesting better handling of this.  Current
upstream discussion leans towards putting the check into the database
backend and aborting if slapd is run as a different user than the database
owner, which is an even better fix.

Gbp-Pq: Name index-files-created-as-root

diff --git a/doc/man/man8/slapindex.8 b/doc/man/man8/slapindex.8
index 47c396be97e7aee5137c1f228cb9107dd42952cb..14ab4bc1144dbb3fbe1267aec7ee78c3b071fbf4 100644 (file)
--- a/doc/man/man8/slapindex.8
+++ b/doc/man/man8/slapindex.8
@@ -149,6 +149,10 @@ Your
 should not be running (at least, not in read-write
 mode) when you do this to ensure consistency of the database.
 .LP
+slapindex ought to be run as the user specified for
+.BR slapd (8)
+to ensure correct database permissions.
+.LP
 This command provides ample opportunity for the user to obtain
 and drink their favorite beverage.
 .SH EXAMPLES

diff --git a/servers/slapd/slapindex.c b/servers/slapd/slapindex.c
index eef08a6c90bd95ef0c1a45389c83e56e65fb910f..c872295e0d0a581d198c706c3f5b0b35ae16b9ee 100644 (file)
--- a/servers/slapd/slapindex.c
+++ b/servers/slapd/slapindex.c
@@ -34,6 +34,8 @@
 int
 slapindex( int argc, char **argv )
 {
+    if (geteuid() == 0)
+        fprintf( stderr, "\nWARNING!\nRunning as root!\nThere's a fair chance slapd will fail to start.\nCheck file permissions!\n\n");
        ID id;
        int rc = EXIT_SUCCESS;
        const char *progname = "slapindex";