>>> Norm Green <[email protected]> schrieb am 15.04.2021 um 23:33 in Nachricht <[email protected]>: > Hello LDAP users and maintainers, > > libraries/libldap/init.c has this code which bypasses read all LDAP > config env vars when the exe loadlig libldap is running in setuid mode. > > This is causing problems for one of our customers who routinely run our > product Linux executables (which load our libldap) in setuid mode for > legitimate purposes. > Since we have the source, we can and may change this code. > > In our case, customer wants to set env var LDAPCONF to point at a > non-default conf file but is unable to do so. In fact this code bypasses > almost all ways an alternate config file can be read.
I wonder what the use case is. > Even $HOME/ldap.conf is not read. > > My question here is should this code be considered a bug and changed to > be less restrictive? I fully appreciate there should be restrictions > when in setuid mode but the current code seems too restrictive. > > > init.c: > 686 > 687 openldap_ldap_init_w_sysconf(LDAP_CONF_FILE); > 688 > 689 #ifdef HAVE_GETEUID > 690 if ( geteuid() != getuid() ) > 691 goto done; > 692 #endif > 693 > 694 openldap_ldap_init_w_userconf(LDAP_USERRC_FILE); > 695 > > > Norm Green > GemTalk Systems LLC
