tieto team mailing list archive

Thread
Date
[Bug 423252] nss-ldap, SUID executables, gcrypt

To: tieto@xxxxxxxxxxxxxxxxxxx
From: Thorsten Glaser <423252@xxxxxxxxxxxxxxxxxx>
Date: Tue, 24 Apr 2012 15:25:07 -0000
Reply-to: Bug 423252 <423252@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Hi all,

this bug has been brought to my attention by my boss today.
If I understand the situation correctly, the problem is:

• OpenLDAP links against GnuTLS (gnutls26)
• gnutls26 links against gcrypt, which has the bug
• gnutls28 links against nettle, but also gmp which is LGPLv3+
• OpenLDAP thus can’t link against gnutls28, as it has reverse
  dependencies that are not LGPLv3-/GPLv3-compatible
• the package affected is libnss-ldap though

For some reason, neither nscd nor unscd seem to be able to
work around this bug, so it has become rather critical (e.g.
for use in company networks).

Why not do a readline and provide *two* versions of the
OpenLDAP client libraries, keep libldap-2.4-2 linked
against gnutls26 and add another shared library plus
development package (with at least the two shared library
packages coïnstallable) to link against gnutls28 and build
these BOTH from the SAME source package at the SAME time,
so an upload of OpenLDAP will not need another package to
be (re-)built to stay in sync.

Did anyone think of it already and will shoot this idea
down immediately? Or could it work?

bye,
//mirabilos • tg@xxxxxxxxxx
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Elmar Geese

-- 
You received this bug notification because you are a member of Tieto,
which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/423252

Title:
  NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2
  suexec, and atd

Status in Release Notes for Ubuntu:
  Fix Released
Status in “eglibc” package in Ubuntu:
  Invalid
Status in “libgcrypt11” package in Ubuntu:
  Confirmed
Status in “libnss-ldap” package in Ubuntu:
  Invalid
Status in “sudo” package in Ubuntu:
  Invalid
Status in “eglibc” source package in Lucid:
  Invalid
Status in “libgcrypt11” source package in Lucid:
  Confirmed
Status in “libnss-ldap” source package in Lucid:
  Invalid
Status in “sudo” source package in Lucid:
  Invalid
Status in “eglibc” source package in Maverick:
  Invalid
Status in “libgcrypt11” source package in Maverick:
  Confirmed
Status in “libnss-ldap” source package in Maverick:
  Confirmed
Status in “sudo” source package in Maverick:
  Invalid
Status in “eglibc” source package in Karmic:
  Invalid
Status in “libgcrypt11” source package in Karmic:
  Won't Fix
Status in “libnss-ldap” source package in Karmic:
  Invalid
Status in “sudo” source package in Karmic:
  Invalid
Status in “libgcrypt11” package in Debian:
  Confirmed
Status in “sudo” package in Debian:
  Confirmed
Status in “sudo” package in Kairos Linux:
  Confirmed

Bug description:
  On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd'
  field to anything with 'ldap' as the first item breaks the ability to
  become root using 'su' and 'sudo' as anyone but root.

  Default nsswitch.conf:

  passwd:         compat
  group:          compat
  shadow:         compat

  matt@box:~$ sudo uname -a
  [sudo] password for matt:
  Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux

  matt@box:~$ su -
  Password:
  root@box:~#

  Modified nsswitch.conf with 'ldap' before 'compat':

  passwd:         ldap compat
  group:          ldap compat
  shadow:         ldap compat

  matt@box:~$ sudo uname -a
  sudo: setreuid(ROOT_UID, user_uid): Operation not permitted

  matt@box:~$ su -
  Password:
  setgid: Operation not permitted

  Modified nsswitch.conf with 'ldap' after 'compat':

  passwd:         compat ldap
  group:          compat ldap
  shadow:         compat ldap

  matt@box:~$ sudo uname -a
  [sudo] password for matt:
  Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux

  matt@box:~$ su -
  Password:
  root@box:~#

  The same arrangements in nsswitch.conf work as expected in Jaunty and
  earlier releases.

  Lucid Release Note:

  == NSS via LDAP+SSL breaks setuid applications like sudo ==

  Upgrading systems configured to use ldap over ssl as the first service
  in the nss stack (in nsswitch.conf) leads to a broken nss resolution
  for setuid applications after the upgrade to Lucid (for example sudo
  would stop working). There isn't any simple workaround for now. One
  option is to switch to libnss-ldapd in place of libnss-ldap before the
  upgrade. Another one consists in using nscd before the upgrade.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions
Follow ups

Re: [Bug 423252] nss-ldap, SUID executables, gcrypt
From: Ansgar Burchardt, 2012-04-24