ldapd always uses O_CREAT when reopening database files, so the database

directory must be unveiled with "rwc" rather than just "rw".

ok deraadt@ mestre@

diff --git a/usr.sbin/ldapd/ldapd.c b/usr.sbin/ldapd/ldapd.c
index 0bb6a59..34a098f 100644 (file)
--- a/usr.sbin/ldapd/ldapd.c
+++ b/usr.sbin/ldapd/ldapd.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ldapd.c,v 1.30 2021/12/15 04:00:15 deraadt Exp $ */
+/*     $OpenBSD: ldapd.c,v 1.31 2021/12/15 11:36:40 jmatthew Exp $ */
 
 /*
  * Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se>
@@ -243,7 +243,7 @@ main(int argc, char *argv[])
                err(1, "unveil %s.db", _PATH_LOGIN_CONF);
        if (unveil(_PATH_AUTHPROGDIR, "x") == -1)
                err(1, "unveil %s", _PATH_AUTHPROGDIR);
-       if (unveil(datadir, "rw") == -1)
+       if (unveil(datadir, "rwc") == -1)
                err(1, "unveil %s", datadir);
        if (unveil(NULL, NULL) == -1)
                err(1, "unveil");