slapcat broken when default apparmor profile is enabled
Bug #203898 reported by
Jamie Strandboge
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openldap2.3 (Ubuntu) |
Fix Released
|
Undecided
|
Jamie Strandboge |
Bug Description
A simple 'sudo slapcat -l ./foo.ldif' results in this apparmor entry:
Mar 19 12:30:07 hardy-amd64-sec kernel: [ 0.000000] audit(120592980
The reason why is because slapcat is a symlink to slapd, and apparmor evaluates symlinks to the name of the file they point to. One solution might be to use hard links instead of symlinks.
As slapacl, slapadd, slapauth, slapdn, slapindex, slappasswd and slaptest are also symlinks, these are all likely broken as well.
Changed in openldap2.3: | |
assignee: | nobody → jamie-strandboge |
status: | New → Confirmed |
To post a comment you must log in.
Using hard links instead of symlinks is reasonable based on server/ slapd.main. c:
static struct {
{"slapindex" , slapindex},
{"slappasswd" , slappasswd},
{"slaptest" , slaptest},
{"slapauth" , slapauth},
char *name;
MainFunc *func;
} tools[] = {
{"slapadd", slapadd},
{"slapcat", slapcat},
{"slapdn", slapdn},
{"slapacl", slapacl},
/* NOTE: new tools must be added in chronological order,
* not in alphabetical order, because for backwards
* compatibility name[4] is used to identify the
* tools; so name[4]=='a' must refer to "slapadd" and
* not to "slapauth". Alphabetical order can be used
* for tools whose name[4] is not used yet */
{NULL, NULL}
};
...
serverName = lutil_progname( "slapd", argc, argv );
if ( strcmp( serverName, "slapd" ) ) {
if ( !strcmp( serverName, tools[i].name ) ) {
rc = tools[i].func(argc, argv);
MAIN_ RETURN( rc);
}
for (i=0; tools[i].name; i++) {
}
}
...
lutil_progname() simply grabs argv[0] and returns it. Based on the above, slapd doesn't care if they are hardlinks or symlinks.