Bug 483356 - /etc/init.d/ldap script assumes files in /tmp can be executed
/etc/init.d/ldap script assumes files in /tmp can be executed
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openldap (Show other bugs)
All Linux
low Severity medium
: rc
: ---
Assigned To: Jan Zeleny
Depends On:
  Show dependency treegraph
Reported: 2009-01-30 17:11 EST by Wes Morgan
Modified: 2010-03-30 04:05 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-03-30 04:05:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Wes Morgan 2009-01-30 17:11:35 EST
Description of problem: slapd init script assumes /tmp (or $TMP) is executable, but setting noexec on a /tmp partition is a common (and recommended) security practice. It creates a wrapper script in that directory and then tries to execute it, which will fail with a cryptic permission denied error from bash.

Version-Release number of selected component (if applicable): 2.3.43-3.el5

How reproducible: Every time.

Steps to Reproduce:
1. Mount /tmp as a separate partition
2. Set the noexec option on it in fstab
3. Install openldap-servers package
4. Try to start with /sbin/service ldap start
Actual results:
permission denied error from bash (mentions the generated wrapper filename, e.g. /tmp/start-slapd.654321)

Expected results:
slapd starts

Additional info:
This wrapper should be created somewhere that is more often consider safe for executables. Maybe /var/run/openldap. It looks like it's created to work around some issues w/ the daemon command, so maybe it could be fixed there too.
Comment 1 Jan Safranek 2009-03-10 08:26:25 EDT
This was fixed in Fedora some time ago and should be backported to RHEL.
Comment 5 Jan Zeleny 2009-11-16 04:49:31 EST
Patch is in CVS, changing status to MODIFIED.
Comment 7 Ondrej Moriš 2010-01-12 05:05:03 EST
Succesfully verified on i386 and x86_64.
Comment 9 errata-xmlrpc 2010-03-30 04:05:51 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.