Hello LDAP users and maintainers,
libraries/libldap/init.c has this code which bypasses read all LDAP
config env vars when the exe loadlig libldap is running in setuid mode.
This is causing problems for one of our customers who routinely run our
product Linux executables (which load our libldap) in setuid mode for
legitimate purposes.
Since we have the source, we can and may change this code.
In our case, customer wants to set env var LDAPCONF to point at a
non-default conf file but is unable to do so. In fact this code bypasses
almost all ways an alternate config file can be read.
Even $HOME/ldap.conf is not read.
My question here is should this code be considered a bug and changed to
be less restrictive? I fully appreciate there should be restrictions
when in setuid mode but the current code seems too restrictive.
init.c:
686
687 openldap_ldap_init_w_sysconf(LDAP_CONF_FILE);
688
689 #ifdef HAVE_GETEUID
690 if ( geteuid() != getuid() )
691 goto done;
692 #endif
693
694 openldap_ldap_init_w_userconf(LDAP_USERRC_FILE);
695
Norm Green
GemTalk Systems LLC
