Red Hat Bugzilla – Bug 483356
/etc/init.d/ldap script assumes files in /tmp can be executed
Last modified: 2010-03-30 04:05:51 EDT
Description of problem: slapd init script assumes /tmp (or $TMP) is executable, but setting noexec on a /tmp partition is a common (and recommended) security practice. It creates a wrapper script in that directory and then tries to execute it, which will fail with a cryptic permission denied error from bash.
Version-Release number of selected component (if applicable): 2.3.43-3.el5
How reproducible: Every time.
Steps to Reproduce:
1. Mount /tmp as a separate partition
2. Set the noexec option on it in fstab
3. Install openldap-servers package
4. Try to start with /sbin/service ldap start
permission denied error from bash (mentions the generated wrapper filename, e.g. /tmp/start-slapd.654321)
This wrapper should be created somewhere that is more often consider safe for executables. Maybe /var/run/openldap. It looks like it's created to work around some issues w/ the daemon command, so maybe it could be fixed there too.
This was fixed in Fedora some time ago and should be backported to RHEL.
Patch is in CVS, changing status to MODIFIED.
Succesfully verified on i386 and x86_64.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.