public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-dev] Policy violation possible (concerns openldap/nss_ldap)
@ 2003-06-18 17:36 Martin Lesser
  2003-06-18 18:18 ` Donny Davies
  2003-06-19 17:55 ` [gentoo-dev] " paul
  0 siblings, 2 replies; 4+ messages in thread
From: Martin Lesser @ 2003-06-18 17:36 UTC (permalink / raw
  To: gentoo-dev

Yesterday we upgraded net-libs/nss_ldap/nss_ldap-207.ebuild to
net-libs/nss_ldap/nss_ldap-207-r1.ebuild and encountered an IMO fatal
error concerning writing into /etc *without* respecting the protection
of conf-files.

The relevant lines from src_install() of the different ebuilds are:

nss_ldap-202.ebuild:
  dosym /etc/openldap/ldap.conf /etc/ldap.conf
(That's ok)

nss_ldap-207.ebuild:
  insinto /etc/openldap
  doins ldap.conf
  dosym /etc/openldap/ldap.conf /etc/ldap.conf
(That's ok)

Until here /etc/ldap.conf was a symlink which was created or maintained
also by at least one other package (openldap itself), but

nss_ldap-207-r1.ebuild changed it totally:
  insinto /etc
  doins ldap.conf

So the symlink was overwritten with the vanilla configuration what - in
our case - caused several applications which depend on ldap to not work
properly any longer. That was really bad.

How can one prevent such an IMO unacceptable behavior of overwriting
config-files which are symlinks? Should this be seen as bug in
gentoo/emerge?

Have the changes described above to be reported as bug in nss_ldap?

How can we ensure the integrity of conf-files used by more than one
package when different packages use different locations for the *same*
configuration (a bad thing anyway)?

Martin

--
gentoo-dev@gentoo.org mailing list


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [gentoo-dev] Policy violation possible (concerns openldap/nss_ldap)
  2003-06-18 17:36 [gentoo-dev] Policy violation possible (concerns openldap/nss_ldap) Martin Lesser
@ 2003-06-18 18:18 ` Donny Davies
  2003-06-19 17:55 ` [gentoo-dev] " paul
  1 sibling, 0 replies; 4+ messages in thread
From: Donny Davies @ 2003-06-18 18:18 UTC (permalink / raw
  To: gentoo-dev

[snip]
>Have the changes described above to be reported as bug in nss_ldap?
>
>How can we ensure the integrity of conf-files used by more than one
>package when different packages use different locations for the *same*
>configuration (a bad thing anyway)?

Martin,

  I've already filed one:  http://bugs.gentoo.org/show_bug.cgi?id=22906

        Donny.


--
gentoo-dev@gentoo.org mailing list


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [gentoo-dev] Re: Policy violation possible (concerns openldap/nss_ldap)
  2003-06-19 17:55 ` [gentoo-dev] " paul
@ 2003-06-19 15:42   ` Donny Davies
  0 siblings, 0 replies; 4+ messages in thread
From: Donny Davies @ 2003-06-19 15:42 UTC (permalink / raw
  To: gentoo-dev

On Thu, Jun 19, 2003 at 10:55:14AM -0700, paul wrote:
[...]
>Correct me if I'm wrong here, but AFAIK /etc/openldap/ldap.conf is used 
>by the openldap clients like ldapsearch ldapadd... whereas 
>/etc/ldap.conf is for pam_ldap and nss_ldap from PADL. They shouldn't be 
>the same file at all.

That's corrrect.  The ebuild was previously setup to install
/etc/ldap.conf as a symlink to /etc/openldap/ldap.conf, I guess
somebody figured they were the same file but that's not correct.

*nss_ldap-207-r1 (16 Jun 2003)

  16 Jun 2003; Donny Davies <woodchip@gentoo.org> nss_ldap-207-r1.ebuild:
  Install the library in /lib.  This revision also properly installs the
  configuration file;  /etc/ldap.conf != /etc/openldap/ldap.conf!

                Donny.

--
gentoo-dev@gentoo.org mailing list


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [gentoo-dev] Re: Policy violation possible (concerns openldap/nss_ldap)
  2003-06-18 17:36 [gentoo-dev] Policy violation possible (concerns openldap/nss_ldap) Martin Lesser
  2003-06-18 18:18 ` Donny Davies
@ 2003-06-19 17:55 ` paul
  2003-06-19 15:42   ` Donny Davies
  1 sibling, 1 reply; 4+ messages in thread
From: paul @ 2003-06-19 17:55 UTC (permalink / raw
  To: gentoo-dev

Martin Lesser wrote:
--snipped--


> So the symlink was overwritten with the vanilla configuration what - in
> our case - caused several applications which depend on ldap to not work
> properly any longer. That was really bad.
> 
> How can one prevent such an IMO unacceptable behavior of overwriting
> config-files which are symlinks? Should this be seen as bug in
> gentoo/emerge?
> 
> Have the changes described above to be reported as bug in nss_ldap?
> 
> How can we ensure the integrity of conf-files used by more than one
> package when different packages use different locations for the *same*
> configuration (a bad thing anyway)?
>
Correct me if I'm wrong here, but AFAIK /etc/openldap/ldap.conf is used 
by the openldap clients like ldapsearch ldapadd... whereas 
/etc/ldap.conf is for pam_ldap and nss_ldap from PADL. They shouldn't be 
the same file at all. Despite sharing some common directives such as 
HOST and BASE, im not sure if the pam_ldap/nss_ldap specific options are 
silently ignored by the openldap clienttools. If that is true, 
/etc/openldap/ldap.conf could be overwritten by pam_ldap/nss_ldap during 
install but not the other way round.

kind regards  Paul


> Martin
> 
> --
> gentoo-dev@gentoo.org mailing list
> 
> 



--
gentoo-dev@gentoo.org mailing list


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2003-06-19 15:42 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-06-18 17:36 [gentoo-dev] Policy violation possible (concerns openldap/nss_ldap) Martin Lesser
2003-06-18 18:18 ` Donny Davies
2003-06-19 17:55 ` [gentoo-dev] " paul
2003-06-19 15:42   ` Donny Davies

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox