unix socket permissions
Matthew Carpenter
matt
Tue Feb 8 14:36:57 PST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
That makes sense. They act *just* like file-permissions... except the
way sockets work are different than typical files. Imagine the file as
a clipboard which is passed back and forth between processes. That's
basically what's happening. In order for your app to even hand the
query into OpenLDAP it must write its bind and query information
somewhere. That is the socket. It would be no different than using a
file to do IPC. Proc 1 writes to the file the information for proc 2 to
process. proc 2 then reads the information from the file, clears the
information from the file and writes the results back. Sockets are all
that and more (no locking/timing issues, allowing full-duplex
communication between processes).
Jason Joines wrote:
| Jason Joines wrote:
|
|> Is there anything special about setting permissions on unix
|> sockets? I've been using OpenLDAP for authentication for quite some
|> time but have just recently started playing around with ldapi and unix
|> sockets. The socket is /var/run/slapd/ldapi with these permissions on
|> th path.
|>
|> myhost:~> ls -ld / /var /var/run /var/run/slapd /var/run/slapd/*
|> drwxr-xr-x 21 root root 4096 2005-01-25 09:40 /
|> drwxr-xr-x 15 root root 4096 2005-01-19 16:37 /var
|> drwxr-xr-x 14 root root 4096 2005-02-04 16:54 /var/run
|> drwxr-xr-x 2 ldap ldap 4096 2005-02-07 09:31 /var/run/slapd
|> srwxr-xr-x 1 root root 0 2005-02-07 09:31 /var/run/slapd/ldapi
|>
|> An ldapsearch against that socket as the user root works just fine.
|> myhost:~ # ldapsearch -LLL -x -H ldapi://%2fvar%2frun%2fslapd%2fldapi
|> uid=bogus dn
|> dn: uid=bogus,dc=my,dc=domain,dc=org
|>
|> However, searches from a non-root user fail.
|> myhost:~> ldapsearch -LLL -x -H ldapi://%2fvar%2frun%2fslapd%2fldapi
|> uid=bogus dn
|> ldap_bind: Can't contact LDAP server (-1)
|>
|> The original permissions were the same as those above with the
|> exception of /var/run/slapd which was drwx------. I changed the
|> permissions so non-root users can access the socket via filesystem but
|> it still hasn't enabled them to use it in a search.
|>
|> Any ideas?
|>
|> Jason Joines
|> =================================
|
|
|
|
| Just got the solution from the OpenLDAP mailing lists. Seems the
| socket has to be writeable by each user who needs to use it. So, 'chmod
| 0777 /var/run/slapd/ldapi' does the trick. I had reservations about
| that but I tried to delete the socket and append data to it after giving
| myself write access and failed. Looks like socket permissions behave
| very differently than file permissions.
|
| Jason
| ===========
| _______________________________________________
| Linux-users mailing list
| Linux-users at linux-sxs.org
| http://mail.linux-sxs.org/cgi-bin/mailman/listinfo/linux-users
|
| Need to chat further on this subject? Check out #linux-users on
| irc.linux-sxs.org !
|
|
|
- --
Matthew Carpenter
matt at eisgr.com http://www.eisgr.com/
Enterprise Information Systems
* Network Server Appliances
* Security Consulting, Incident Handling & Forensics
* Network Consulting, Integration & Support
* Web Integration and E-Business
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCCK8uso9lqh4MragRApBjAJ47KFNpHCK78JUhUHAuedn5OkjDWgCgqjFk
7SEs/Uv5bqG9W7qcKtW5ktc=
=Z9ee
-----END PGP SIGNATURE-----
More information about the Linux-users
mailing list