Modify slapd set user/group support to use -u/-g instead -U/-G.

Moved -u (udp) to -c (connectionless).  Connectionless is depreciated
and undocumented.
Added tests for set{,e}{u,g}id to configure.  Use existance of
setuid/setgid to enable feature.  Use seteuid/setegid only if
they exist.
Fixed minor minor leak of username/groupname if specificied
more than once.  (This should actually be an error)

INSTALL

@@ -47,12 +47,7 @@ these steps:
 	See the 'USING ENVIRONMENT VARIABLES' section for information
 	on how to use the variables. 
 
- 3. edit the file include/ldapconfig.h.edit to configure
-    the software for your site (the files are well-commented):
-
-	% vi include/ldapconfig.h.edit
-
- 4. Configure the build system
+ 3. Configure the build system
 
 	% [env settings] ./configure [options]
 
@@ -60,6 +55,11 @@ these steps:
 	appropriate settings.  Use configure enable/with options and/or
 	environment variables to obtain desired results.
 
+ 4. Review the file include/ldapconfig.h.edit.
+	You generally do not need to modify this file.  
+
+	% vi include/ldapconfig.h.edit
+
  5. Build dependencies
 
 	% make depend

configure

@@ -10808,12 +10808,13 @@ for ac_func in \
 	endgrent		\
 	endpwent		\
 	flock			\
-	getdtablesize		\
+	getdtablesize	\
 	getgrgid		\
 	gethostname		\
 	getpass			\
 	getpwuid		\
-	gettimeofday		\
+	gettimeofday	\
+	initgroups		\
 	lockf			\
 	memcpy			\
 	memmove			\
@@ -10821,7 +10822,11 @@ for ac_func in \
 	recv			\
 	recvfrom		\
 	setpwfile		\
+	setgid			\
+	setegid			\
 	setsid			\
+	setuid			\
+	seteuid			\
 	signal			\
 	sigset			\
 	snprintf		\
@@ -10840,12 +10845,12 @@ for ac_func in \
 
 do
 echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:10844: checking for $ac_func" >&5
+echo "configure:10849: checking for $ac_func" >&5
 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 10849 "configure"
+#line 10854 "configure"
 #include "confdefs.h"
 /* System header to define __stub macros and hopefully few prototypes,
     which can conflict with char $ac_func(); below.  */
@@ -10868,7 +10873,7 @@ $ac_func();
 
 ; return 0; }
 EOF
-if { (eval echo configure:10872: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:10877: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_func_$ac_func=yes"
 else
@@ -10896,12 +10901,12 @@ done
 for ac_func in getopt tempnam
 do
 echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:10900: checking for $ac_func" >&5
+echo "configure:10905: checking for $ac_func" >&5
 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 10905 "configure"
+#line 10910 "configure"
 #include "confdefs.h"
 /* System header to define __stub macros and hopefully few prototypes,
     which can conflict with char $ac_func(); below.  */
@@ -10924,7 +10929,7 @@ $ac_func();
 
 ; return 0; }
 EOF
-if { (eval echo configure:10928: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:10933: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_func_$ac_func=yes"
 else
@@ -10954,13 +10959,13 @@ done
 # Check Configuration
 
 echo $ac_n "checking declaration of sys_errlist""... $ac_c" 1>&6
-echo "configure:10958: checking declaration of sys_errlist" >&5
+echo "configure:10963: checking declaration of sys_errlist" >&5
 if eval "test \"`echo '$''{'ol_cv_dcl_sys_errlist'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   
 	cat > conftest.$ac_ext <<EOF
-#line 10964 "configure"
+#line 10969 "configure"
 #include "confdefs.h"
 
 #include <stdio.h>
@@ -10970,7 +10975,7 @@ int main() {
 char *c = (char *) *sys_errlist
 ; return 0; }
 EOF
-if { (eval echo configure:10974: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:10979: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   ol_cv_dcl_sys_errlist=yes
 else
@@ -10990,20 +10995,20 @@ if test $ol_cv_dcl_sys_errlist = no ; then
 EOF
 
 	echo $ac_n "checking existence of sys_errlist""... $ac_c" 1>&6
-echo "configure:10994: checking existence of sys_errlist" >&5
+echo "configure:10999: checking existence of sys_errlist" >&5
 	if eval "test \"`echo '$''{'ol_cv_have_sys_errlist'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   
 		cat > conftest.$ac_ext <<EOF
-#line 11000 "configure"
+#line 11005 "configure"
 #include "confdefs.h"
 #include <errno.h>
 int main() {
 char *c = (char *) *sys_errlist
 ; return 0; }
 EOF
-if { (eval echo configure:11007: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:11012: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   ol_cv_have_sys_errlist=yes
 else
@@ -11027,13 +11032,13 @@ fi
 
 
 echo $ac_n "checking strdup declaration""... $ac_c" 1>&6
-echo "configure:11031: checking strdup declaration" >&5
+echo "configure:11036: checking strdup declaration" >&5
 if eval "test \"`echo '$''{'ol_cv_dcl_strdup'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   
 	cat > conftest.$ac_ext <<EOF
-#line 11037 "configure"
+#line 11042 "configure"
 #include "confdefs.h"
 
 #include <string.h> 
@@ -11041,7 +11046,7 @@ int main() {
 extern char *strdup();
 ; return 0; }
 EOF
-if { (eval echo configure:11045: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:11050: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   ol_cv_dcl_strdup=yes
 else

configure.in

@@ -1541,12 +1541,13 @@ AC_CHECK_FUNCS(		\
 	endgrent		\
 	endpwent		\
 	flock			\
-	getdtablesize		\
+	getdtablesize	\
 	getgrgid		\
 	gethostname		\
 	getpass			\
 	getpwuid		\
-	gettimeofday		\
+	gettimeofday	\
+	initgroups		\
 	lockf			\
 	memcpy			\
 	memmove			\
@@ -1554,7 +1555,11 @@ AC_CHECK_FUNCS(		\
 	recv			\
 	recvfrom		\
 	setpwfile		\
+	setgid			\
+	setegid			\
 	setsid			\
+	setuid			\
+	seteuid			\
 	signal			\
 	sigset			\
 	snprintf		\

doc/man/man8/slapd.8

@@ -5,7 +5,7 @@ slapd \- Stand-alone LDAP Daemon
 .B LIBEXECDIR/slapd [\-d debug\-level]
 .B [\-f slapd\-config\-file] [\-a address] [\-p port\-number]
 .B [\-s syslog\-level] [\-l syslog\-local\-user] [\-i]
-.B [\-U user] [\-G group]
+.B [\-u user] [\-g group]
 .B 
 .SH DESCRIPTION
 .LP
@@ -99,14 +99,14 @@ Internet standard '.' format.
 will listen on the default LDAP port (389) unless this option is given
 to override the default.  A numeric port number is expected.
 .TP
-.BI \-U " user"
+.BI \-u " user"
 .B slapd
 will run slapd with the specified user name or id, and that user's
 supplementary group access list as set with initgroups(3).  The group ID
-is also changed to this user's gid, unless the -G option is used to
+is also changed to this user's gid, unless the -g option is used to
 override.
 .TP
-.BI \-G " group"
+.BI \-g " group"
 .B slapd
 will run with the specified group name or id.
 .TP

include/portable.h.in

@@ -261,6 +261,9 @@
 /* Define if you have the gettimeofday function.  */
 #undef HAVE_GETTIMEOFDAY
 
+/* Define if you have the initgroups function.  */
+#undef HAVE_INITGROUPS
+
 /* Define if you have the lockf function.  */
 #undef HAVE_LOCKF
 
@@ -297,12 +300,24 @@
 /* Define if you have the sched_yield function.  */
 #undef HAVE_SCHED_YIELD
 
+/* Define if you have the setegid function.  */
+#undef HAVE_SETEGID
+
+/* Define if you have the seteuid function.  */
+#undef HAVE_SETEUID
+
+/* Define if you have the setgid function.  */
+#undef HAVE_SETGID
+
 /* Define if you have the setpwfile function.  */
 #undef HAVE_SETPWFILE
 
 /* Define if you have the setsid function.  */
 #undef HAVE_SETSID
 
+/* Define if you have the setuid function.  */
+#undef HAVE_SETUID
+
 /* Define if you have the signal function.  */
 #undef HAVE_SIGNAL
 

servers/slapd/main.c

@@ -57,15 +57,18 @@ static void
 usage( char *name )
 {
 	fprintf( stderr, "usage: %s [-d ?|debuglevel] [-f configfile] [-p portnumber] [-s sysloglevel]", name );
-    fprintf( stderr, "\n        [-a bind-address] [-i] [-u]" );
+    fprintf( stderr, "\n        [-a bind-address] [-i]" );
+#if LDAP_CONNECTIONLESS
+	fprintf( stderr, " [-c]" );
+#endif
 #ifdef SLAPD_BDB2
     fprintf( stderr, " [-t]" );
 #endif
 #ifdef LOG_LOCAL4
     fprintf( stderr, " [-l sysloguser]" );
 #endif
-#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
-    fprintf( stderr, " [-U user] [-G group]" );
+#if defined(HAVE_SETUID) && defined(HAVE_SETGID)
+    fprintf( stderr, " [-u user] [-g group]" );
 #endif
     fprintf( stderr, "\n" );
 }
@@ -84,7 +87,7 @@ main( int argc, char **argv )
 #ifdef LOG_LOCAL4
     int     syslogUser = DEFAULT_SYSLOG_USER;
 #endif
-#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
+#if defined(HAVE_SETUID) && defined(HAVE_SETGID)
 	char		*username = NULL, *groupname = NULL;
 #endif
 	char		*configfile;
@@ -102,15 +105,15 @@ main( int argc, char **argv )
 	g_argv = argv;
 
 	while ( (i = getopt( argc, argv,
-			     "d:f:ia:p:s:u"
+			     "d:f:ia:p:s:c"
 #ifdef LOG_LOCAL4
 			     "l:"
 #endif
 #ifdef SLAPD_BDB2
 			     "t"
 #endif
-#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
-			     "U:G:"
+#if defined(HAVE_SETUID) && defined(HAVE_SETGID)
+			     "u:g:"
 #endif
 			     )) != EOF ) {
 		switch ( i ) {
@@ -195,9 +198,11 @@ main( int argc, char **argv )
 			break;
 #endif
 
-		case 'u':	/* do udp */
+#ifdef LDAP_CONNECTIONLESS
+		case 'c':	/* do connectionless (udp) */
 			udp = 1;
 			break;
+#endif
 
 #ifdef SLAPD_BDB2
 		case 't':  /* timed server */
@@ -205,15 +210,17 @@ main( int argc, char **argv )
 			break;
 #endif
 
-#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
-		case 'U':	/* user name */
+#if defined(HAVE_SETUID) && defined(HAVE_GETUID)
+		case 'u':	/* user name */
+			if( username ) free(username);
 			username = ch_strdup( optarg );
 			break;
 
-		case 'G':	/* group name */
+		case 'g':	/* group name */
+			if( groupname ) free(groupname);
 			groupname = ch_strdup( optarg );
 			break;
-#endif /* HAVE_PWD_H && HAVE_GRP_H */
+#endif /* SETUID && GETUID */
 
 		default:
 			usage( argv[0] );
@@ -241,7 +248,7 @@ main( int argc, char **argv )
 
 	tcps = set_socket( inetd ? NULL : &bind_addr );
 
-#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
+#if defined(HAVE_SETUID) && defined(HAVE_SETGID)
 	if ( username != NULL || groupname != NULL )
 		slap_init_user( username, groupname );
 #endif

servers/slapd/user.c

@@ -11,12 +11,17 @@
 
 #include "portable.h"
 
-#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
+#if defined(HAVE_SETUID) && defined(HAVE_SETGID)
 
 #include <stdio.h>
 #include <stdlib.h>
+
+#ifdef HAVE_PWD_H
 #include <pwd.h>
+#endif
+#ifdef HAVE_GRP_H
 #include <grp.h>
+#endif
 
 #include <ac/ctype.h>
 #include <ac/unistd.h>
@@ -31,7 +36,7 @@
 void
 slap_init_user( char *user, char *group )
 {
-    uid_t	uid = (gid_t) -1;
+    uid_t	uid = (uid_t) -1;
     gid_t	gid = (gid_t) -1;
 
     if ( user ) {
@@ -104,11 +109,13 @@ slap_init_user( char *user, char *group )
 		   gid, 0, 0 );
 	    exit( 1 );
 	}
+#ifdef HAVE_SETEGID
 	if ( setegid( gid ) != 0 ) {
 	    Debug( LDAP_DEBUG_ANY, "Could not set effective group id to %d\n",
 		   gid, 0, 0 );
 	    exit( 1 );
 	}
+#endif
     }
 
     if ( uid >= 0 ) {
@@ -117,11 +124,13 @@ slap_init_user( char *user, char *group )
 		   uid, 0, 0 );
 	    exit( 1 );
 	}
+#ifdef HAVE_SETEUID
 	if ( seteuid( uid ) != 0 ) {
 	    Debug( LDAP_DEBUG_ANY, "Could not set real user id to %d\n",
 		   uid, 0, 0 );
 	    exit( 1 );
 	}
+#endif
     }
 }