First Last Prev Next    This bug is not in your last search results.
Bug 483356 - /etc/init.d/ldap script assumes files in /tmp can be executed
/etc/init.d/ldap script assumes files in /tmp can be executed
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openldap (Show other bugs)
5.3
All Linux
low Severity medium
: rc
: ---
Assigned To: Jan Zeleny
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-30 17:11 EST by Wes Morgan
Modified: 2010-03-30 04:05 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-30 04:05:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Wes Morgan 2009-01-30 17:11:35 EST 
Description of problem: slapd init script assumes /tmp (or $TMP) is executable, but setting noexec on a /tmp partition is a common (and recommended) security practice. It creates a wrapper script in that directory and then tries to execute it, which will fail with a cryptic permission denied error from bash.


Version-Release number of selected component (if applicable): 2.3.43-3.el5


How reproducible: Every time.


Steps to Reproduce:
1. Mount /tmp as a separate partition
2. Set the noexec option on it in fstab
3. Install openldap-servers package
4. Try to start with /sbin/service ldap start
  
Actual results:
permission denied error from bash (mentions the generated wrapper filename, e.g. /tmp/start-slapd.654321)


Expected results:
slapd starts

Additional info:
This wrapper should be created somewhere that is more often consider safe for executables. Maybe /var/run/openldap. It looks like it's created to work around some issues w/ the daemon command, so maybe it could be fixed there too.
Comment 1 Jan Safranek 2009-03-10 08:26:25 EDT 
This was fixed in Fedora some time ago and should be backported to RHEL.
Comment 5 Jan Zeleny 2009-11-16 04:49:31 EST 
Patch is in CVS, changing status to MODIFIED.
Comment 7 Ondrej Moriš 2010-01-12 05:05:03 EST 
Succesfully verified on i386 and x86_64.
Comment 9 errata-xmlrpc 2010-03-30 04:05:51 EDT 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2010-0198.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.