tieto team mailing list archive
-
tieto team
-
Mailing list archive
-
Message #00177
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
According to Andreas Metzler
http://lists.debian.org/debian-legal/2011/02/msg00006.html
{{ GnuTLS upstream has added support for different crypto backends in
2.11.x and has chosen nettle as prefered backend (2.10.x is using
libgcrypt). }}
I have started to experiment with using a gnutls26 package with nettle
instead of libgcrypt11 on Ubuntu 12.04.
I have yet to adjust the gnutls26 package dependencies, at this point
I just cheat and install nettle-dev manually:
sudo apt-get install nettle-dev
Then I
apt-get source gnutls26
to fetch the source for gnutls26-2.12.14
chop out
--with-libgcrypt
from debian/rules
bump the package version in debian/changelog to 2.12.14-5ubuntu2.1
and rebuild with
debuild -i -uc -us -b
then I put a checkpoint on the VM and install the package:
dpkg -i libgnutls26_2.12.14-5ubuntu2.1_amd64.deb
but then sudo works on my LDAP+SSL client.
--
You received this bug notification because you are a member of Tieto,
which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/423252
Title:
NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2
suexec, and atd
Status in Release Notes for Ubuntu:
Fix Released
Status in “eglibc” package in Ubuntu:
Invalid
Status in “libgcrypt11” package in Ubuntu:
Confirmed
Status in “libnss-ldap” package in Ubuntu:
Invalid
Status in “sudo” package in Ubuntu:
Invalid
Status in “eglibc” source package in Lucid:
Invalid
Status in “libgcrypt11” source package in Lucid:
Confirmed
Status in “libnss-ldap” source package in Lucid:
Invalid
Status in “sudo” source package in Lucid:
Invalid
Status in “eglibc” source package in Maverick:
Invalid
Status in “libgcrypt11” source package in Maverick:
Confirmed
Status in “libnss-ldap” source package in Maverick:
Confirmed
Status in “sudo” source package in Maverick:
Invalid
Status in “eglibc” source package in Karmic:
Invalid
Status in “libgcrypt11” source package in Karmic:
Won't Fix
Status in “libnss-ldap” source package in Karmic:
Invalid
Status in “sudo” source package in Karmic:
Invalid
Status in “libgcrypt11” package in Debian:
Confirmed
Status in “sudo” package in Debian:
Confirmed
Status in “sudo” package in Kairos Linux:
Confirmed
Bug description:
On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd'
field to anything with 'ldap' as the first item breaks the ability to
become root using 'su' and 'sudo' as anyone but root.
Default nsswitch.conf:
passwd: compat
group: compat
shadow: compat
matt@box:~$ sudo uname -a
[sudo] password for matt:
Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux
matt@box:~$ su -
Password:
root@box:~#
Modified nsswitch.conf with 'ldap' before 'compat':
passwd: ldap compat
group: ldap compat
shadow: ldap compat
matt@box:~$ sudo uname -a
sudo: setreuid(ROOT_UID, user_uid): Operation not permitted
matt@box:~$ su -
Password:
setgid: Operation not permitted
Modified nsswitch.conf with 'ldap' after 'compat':
passwd: compat ldap
group: compat ldap
shadow: compat ldap
matt@box:~$ sudo uname -a
[sudo] password for matt:
Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux
matt@box:~$ su -
Password:
root@box:~#
The same arrangements in nsswitch.conf work as expected in Jaunty and
earlier releases.
Lucid Release Note:
== NSS via LDAP+SSL breaks setuid applications like sudo ==
Upgrading systems configured to use ldap over ssl as the first service
in the nss stack (in nsswitch.conf) leads to a broken nss resolution
for setuid applications after the upgrade to Lucid (for example sudo
would stop working). There isn't any simple workaround for now. One
option is to switch to libnss-ldapd in place of libnss-ldap before the
upgrade. Another one consists in using nscd before the upgrade.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions
