unix socket permissions
Jason Joines
joines
Mon Feb 7 14:51:55 PST 2005
Jason Joines wrote:
> Is there anything special about setting permissions on unix sockets?
> I've been using OpenLDAP for authentication for quite some time but have
> just recently started playing around with ldapi and unix sockets. The
> socket is /var/run/slapd/ldapi with these permissions on th path.
>
> myhost:~> ls -ld / /var /var/run /var/run/slapd /var/run/slapd/*
> drwxr-xr-x 21 root root 4096 2005-01-25 09:40 /
> drwxr-xr-x 15 root root 4096 2005-01-19 16:37 /var
> drwxr-xr-x 14 root root 4096 2005-02-04 16:54 /var/run
> drwxr-xr-x 2 ldap ldap 4096 2005-02-07 09:31 /var/run/slapd
> srwxr-xr-x 1 root root 0 2005-02-07 09:31 /var/run/slapd/ldapi
>
> An ldapsearch against that socket as the user root works just fine.
> myhost:~ # ldapsearch -LLL -x -H ldapi://%2fvar%2frun%2fslapd%2fldapi
> uid=bogus dn
> dn: uid=bogus,dc=my,dc=domain,dc=org
>
> However, searches from a non-root user fail.
> myhost:~> ldapsearch -LLL -x -H ldapi://%2fvar%2frun%2fslapd%2fldapi
> uid=bogus dn
> ldap_bind: Can't contact LDAP server (-1)
>
> The original permissions were the same as those above with the
> exception of /var/run/slapd which was drwx------. I changed the
> permissions so non-root users can access the socket via filesystem but
> it still hasn't enabled them to use it in a search.
>
> Any ideas?
>
> Jason Joines
> =================================
Just got the solution from the OpenLDAP mailing lists. Seems the
socket has to be writeable by each user who needs to use it. So, 'chmod
0777 /var/run/slapd/ldapi' does the trick. I had reservations about
that but I tried to delete the socket and append data to it after giving
myself write access and failed. Looks like socket permissions behave
very differently than file permissions.
Jason
===========
More information about the Linux-users
mailing list