From 15c55a13f8a9fb6c8e8c9876ab581d29f947a200 Mon Sep 17 00:00:00 2001 From: Debian OpenLDAP Maintainers Date: Sun, 14 Feb 2021 17:26:41 +0000 Subject: [PATCH] index-files-created-as-root Document in the man page that slapindex should be run as the same user as slapd, and print a warning if it's run as root (since Debian defaults to running slapd as openldap). Not suitable for upstream in this form. This patch needs to be reworked to check the BerkeleyDB database ownership and only warn if running as root with a database that's not owned by root. Upstream ITS #5356 filed requesting better handling of this. Current upstream discussion leans towards putting the check into the database backend and aborting if slapd is run as a different user than the database owner, which is an even better fix. Gbp-Pq: Name index-files-created-as-root --- doc/man/man8/slapindex.8 | 4 ++++ servers/slapd/slapindex.c | 2 ++ 2 files changed, 6 insertions(+) diff --git a/doc/man/man8/slapindex.8 b/doc/man/man8/slapindex.8 index 405a4a63..e8dd2821 100644 --- a/doc/man/man8/slapindex.8 +++ b/doc/man/man8/slapindex.8 @@ -149,6 +149,10 @@ Your should not be running (at least, not in read-write mode) when you do this to ensure consistency of the database. .LP +slapindex ought to be run as the user specified for +.BR slapd (8) +to ensure correct database permissions. +.LP This command provides ample opportunity for the user to obtain and drink their favorite beverage. .SH EXAMPLES diff --git a/servers/slapd/slapindex.c b/servers/slapd/slapindex.c index 0f22387a..b06abc8e 100644 --- a/servers/slapd/slapindex.c +++ b/servers/slapd/slapindex.c @@ -34,6 +34,8 @@ int slapindex( int argc, char **argv ) { + if (geteuid() == 0) + fprintf( stderr, "\nWARNING!\nRunning as root!\nThere's a fair chance slapd will fail to start.\nCheck file permissions!\n\n"); ID id; int rc = EXIT_SUCCESS; const char *progname = "slapindex"; -- 2.30.2