* [gentoo-dev] Policy violation possible (concerns openldap/nss_ldap)
@ 2003-06-18 17:36 Martin Lesser
2003-06-18 18:18 ` Donny Davies
2003-06-19 17:55 ` [gentoo-dev] " paul
0 siblings, 2 replies; 4+ messages in thread
From: Martin Lesser @ 2003-06-18 17:36 UTC (permalink / raw
To: gentoo-dev
Yesterday we upgraded net-libs/nss_ldap/nss_ldap-207.ebuild to
net-libs/nss_ldap/nss_ldap-207-r1.ebuild and encountered an IMO fatal
error concerning writing into /etc *without* respecting the protection
of conf-files.
The relevant lines from src_install() of the different ebuilds are:
nss_ldap-202.ebuild:
dosym /etc/openldap/ldap.conf /etc/ldap.conf
(That's ok)
nss_ldap-207.ebuild:
insinto /etc/openldap
doins ldap.conf
dosym /etc/openldap/ldap.conf /etc/ldap.conf
(That's ok)
Until here /etc/ldap.conf was a symlink which was created or maintained
also by at least one other package (openldap itself), but
nss_ldap-207-r1.ebuild changed it totally:
insinto /etc
doins ldap.conf
So the symlink was overwritten with the vanilla configuration what - in
our case - caused several applications which depend on ldap to not work
properly any longer. That was really bad.
How can one prevent such an IMO unacceptable behavior of overwriting
config-files which are symlinks? Should this be seen as bug in
gentoo/emerge?
Have the changes described above to be reported as bug in nss_ldap?
How can we ensure the integrity of conf-files used by more than one
package when different packages use different locations for the *same*
configuration (a bad thing anyway)?
Martin
--
gentoo-dev@gentoo.org mailing list
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-dev] Policy violation possible (concerns openldap/nss_ldap)
2003-06-18 17:36 [gentoo-dev] Policy violation possible (concerns openldap/nss_ldap) Martin Lesser
@ 2003-06-18 18:18 ` Donny Davies
2003-06-19 17:55 ` [gentoo-dev] " paul
1 sibling, 0 replies; 4+ messages in thread
From: Donny Davies @ 2003-06-18 18:18 UTC (permalink / raw
To: gentoo-dev
[snip]
>Have the changes described above to be reported as bug in nss_ldap?
>
>How can we ensure the integrity of conf-files used by more than one
>package when different packages use different locations for the *same*
>configuration (a bad thing anyway)?
Martin,
I've already filed one: http://bugs.gentoo.org/show_bug.cgi?id=22906
Donny.
--
gentoo-dev@gentoo.org mailing list
^ permalink raw reply [flat|nested] 4+ messages in thread
* [gentoo-dev] Re: Policy violation possible (concerns openldap/nss_ldap)
2003-06-18 17:36 [gentoo-dev] Policy violation possible (concerns openldap/nss_ldap) Martin Lesser
2003-06-18 18:18 ` Donny Davies
@ 2003-06-19 17:55 ` paul
2003-06-19 15:42 ` Donny Davies
1 sibling, 1 reply; 4+ messages in thread
From: paul @ 2003-06-19 17:55 UTC (permalink / raw
To: gentoo-dev
Martin Lesser wrote:
--snipped--
> So the symlink was overwritten with the vanilla configuration what - in
> our case - caused several applications which depend on ldap to not work
> properly any longer. That was really bad.
>
> How can one prevent such an IMO unacceptable behavior of overwriting
> config-files which are symlinks? Should this be seen as bug in
> gentoo/emerge?
>
> Have the changes described above to be reported as bug in nss_ldap?
>
> How can we ensure the integrity of conf-files used by more than one
> package when different packages use different locations for the *same*
> configuration (a bad thing anyway)?
>
Correct me if I'm wrong here, but AFAIK /etc/openldap/ldap.conf is used
by the openldap clients like ldapsearch ldapadd... whereas
/etc/ldap.conf is for pam_ldap and nss_ldap from PADL. They shouldn't be
the same file at all. Despite sharing some common directives such as
HOST and BASE, im not sure if the pam_ldap/nss_ldap specific options are
silently ignored by the openldap clienttools. If that is true,
/etc/openldap/ldap.conf could be overwritten by pam_ldap/nss_ldap during
install but not the other way round.
kind regards Paul
> Martin
>
> --
> gentoo-dev@gentoo.org mailing list
>
>
--
gentoo-dev@gentoo.org mailing list
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-dev] Re: Policy violation possible (concerns openldap/nss_ldap)
2003-06-19 17:55 ` [gentoo-dev] " paul
@ 2003-06-19 15:42 ` Donny Davies
0 siblings, 0 replies; 4+ messages in thread
From: Donny Davies @ 2003-06-19 15:42 UTC (permalink / raw
To: gentoo-dev
On Thu, Jun 19, 2003 at 10:55:14AM -0700, paul wrote:
[...]
>Correct me if I'm wrong here, but AFAIK /etc/openldap/ldap.conf is used
>by the openldap clients like ldapsearch ldapadd... whereas
>/etc/ldap.conf is for pam_ldap and nss_ldap from PADL. They shouldn't be
>the same file at all.
That's corrrect. The ebuild was previously setup to install
/etc/ldap.conf as a symlink to /etc/openldap/ldap.conf, I guess
somebody figured they were the same file but that's not correct.
*nss_ldap-207-r1 (16 Jun 2003)
16 Jun 2003; Donny Davies <woodchip@gentoo.org> nss_ldap-207-r1.ebuild:
Install the library in /lib. This revision also properly installs the
configuration file; /etc/ldap.conf != /etc/openldap/ldap.conf!
Donny.
--
gentoo-dev@gentoo.org mailing list
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-06-19 15:42 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-06-18 17:36 [gentoo-dev] Policy violation possible (concerns openldap/nss_ldap) Martin Lesser
2003-06-18 18:18 ` Donny Davies
2003-06-19 17:55 ` [gentoo-dev] " paul
2003-06-19 15:42 ` Donny Davies
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox