tieto team mailing list archive

Thread
Date
[Bug 423252] [NEW] NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd

To: tieto@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <423252@xxxxxxxxxxxxxxxxxx>
Date: Thu, 20 Jan 2011 07:28:02 -0000
Reply-to: Bug 423252 <423252@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
You have been subscribed to a public bug by Bolesław Tokarski (boleslaw-tokarski):

On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd'
field to anything with 'ldap' as the first item breaks the ability to
become root using 'su' and 'sudo' as anyone but root.

Default nsswitch.conf:

passwd:         compat
group:          compat
shadow:         compat

matt@box:~$ sudo uname -a
[sudo] password for matt:
Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux

matt@box:~$ su -
Password:
root@box:~#

Modified nsswitch.conf with 'ldap' before 'compat':

passwd:         ldap compat
group:          ldap compat
shadow:         ldap compat

matt@box:~$ sudo uname -a
sudo: setreuid(ROOT_UID, user_uid): Operation not permitted

matt@box:~$ su -
Password:
setgid: Operation not permitted

Modified nsswitch.conf with 'ldap' after 'compat':

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

matt@box:~$ sudo uname -a
[sudo] password for matt:
Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux

matt@box:~$ su -
Password:
root@box:~#

The same arrangements in nsswitch.conf work as expected in Jaunty and
earlier releases.

Lucid Release Note:

== NSS via LDAP+SSL breaks setuid applications like sudo ==

Upgrading systems configured to use ldap over ssl as the first service
in the nss stack (in nsswitch.conf) leads to a broken nss resolution for
setuid applications after the upgrade to Lucid (for example sudo would
stop working). There isn't any simple workaround for now. One option is
to switch to libnss-ldapd in place of libnss-ldap before the upgrade.
Another one consists in using nscd before the upgrade.

** Affects: ubuntu-release-notes
     Importance: Undecided
         Status: Fix Released

** Affects: eglibc (Ubuntu)
     Importance: Undecided
         Status: Invalid

** Affects: libgcrypt11 (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: libnss-ldap (Ubuntu)
     Importance: Medium
         Status: Invalid

** Affects: sudo (Ubuntu)
     Importance: Medium
     Assignee: Mathias Gug (mathiaz)
         Status: Invalid

** Affects: eglibc (Ubuntu Lucid)
     Importance: Undecided
         Status: Invalid

** Affects: libgcrypt11 (Ubuntu Lucid)
     Importance: Medium
         Status: Triaged

** Affects: libnss-ldap (Ubuntu Lucid)
     Importance: Medium
         Status: Invalid

** Affects: sudo (Ubuntu Lucid)
     Importance: Medium
     Assignee: Mathias Gug (mathiaz)
         Status: Invalid

** Affects: eglibc (Ubuntu Karmic)
     Importance: Undecided
         Status: Invalid

** Affects: libgcrypt11 (Ubuntu Karmic)
     Importance: Medium
         Status: Triaged

** Affects: libnss-ldap (Ubuntu Karmic)
     Importance: Undecided
         Status: Invalid

** Affects: sudo (Ubuntu Karmic)
     Importance: Undecided
         Status: Invalid

** Affects: libgcrypt11 (Debian)
     Importance: Unknown
         Status: Confirmed

** Affects: sudo (Debian)
     Importance: Unknown
         Status: Confirmed

** Affects: sudo (Kairos Linux)
     Importance: High
     Assignee: Philipp Kaluza (pixelpapst)
         Status: Confirmed


** Tags: glucid patch regression-release
-- 
NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Tieto, which is a direct subscriber.