tieto team mailing list archive

Thread
Date
[Bug 423252] Verification still needed

To: tieto@xxxxxxxxxxxxxxxxxxx
From: Brian Murray <brian@xxxxxxxxxx>
Date: Thu, 24 Jan 2013 20:47:18 -0000
Reply-to: Bug 423252 <423252@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
The fix for this bug has been awaiting testing feedback in the -proposed
repository for oneiric for more than 90 days.  Please test this fix and
update the bug appropriately with the results.  In the event that the
fix for this bug is still not verified 15 days from now, the package
will be removed from the -proposed repository.

** Tags added: removal-candidate

-- 
You received this bug notification because you are a member of Tieto,
which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/423252

Title:
  NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2
  suexec, and atd

Status in Release Notes for Ubuntu:
  Fix Released
Status in “libgcrypt11” package in Ubuntu:
  Fix Released
Status in “eglibc” source package in Lucid:
  Invalid
Status in “libgcrypt11” source package in Lucid:
  Fix Released
Status in “libnss-ldap” source package in Lucid:
  Invalid
Status in “sudo” source package in Lucid:
  Invalid
Status in “eglibc” source package in Maverick:
  Invalid
Status in “libgcrypt11” source package in Maverick:
  Won't Fix
Status in “libnss-ldap” source package in Maverick:
  Confirmed
Status in “sudo” source package in Maverick:
  Invalid
Status in “eglibc” source package in Natty:
  New
Status in “libgcrypt11” source package in Natty:
  Fix Committed
Status in “libnss-ldap” source package in Natty:
  New
Status in “sudo” source package in Natty:
  New
Status in “eglibc” source package in Oneiric:
  New
Status in “libgcrypt11” source package in Oneiric:
  Fix Committed
Status in “libnss-ldap” source package in Oneiric:
  New
Status in “sudo” source package in Oneiric:
  New
Status in “eglibc” source package in Precise:
  New
Status in “libgcrypt11” source package in Precise:
  Fix Released
Status in “libnss-ldap” source package in Precise:
  New
Status in “sudo” source package in Precise:
  New
Status in “eglibc” source package in Karmic:
  Invalid
Status in “libgcrypt11” source package in Karmic:
  Won't Fix
Status in “libnss-ldap” source package in Karmic:
  Invalid
Status in “sudo” source package in Karmic:
  Invalid
Status in “gnutls26” package in Debian:
  New
Status in “libgcrypt11” package in Debian:
  Confirmed
Status in “openldap” package in Debian:
  New
Status in “sudo” package in Debian:
  Confirmed
Status in “sudo” package in Kairos Linux:
  Confirmed

Bug description:
  SRU Request:

  [Impact]
  As heavily outlined in the amount of comments in this bug the impact is detrimental to both community and enterprise users alike.

  [Development Fix]
  Howard Chu released a patch in #73 which was later confirmed in #106 & #108 as a resolution.

  [Stable Fix]
  Patch from #73 can be applied cleanly to Lucid and new distributions.

  [Test Case]
  On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd' field to anything with 'ldap' as the first item breaks the ability to become root using 'su' and 'sudo' as anyone but root.

  Default nsswitch.conf:

  passwd:         compat
  group:          compat
  shadow:         compat

  matt@box:~$ sudo uname -a
  [sudo] password for matt:
  Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux

  matt@box:~$ su -
  Password:
  root@box:~#

  Modified nsswitch.conf with 'ldap' before 'compat':

  passwd:         ldap compat
  group:          ldap compat
  shadow:         ldap compat

  matt@box:~$ sudo uname -a
  sudo: setreuid(ROOT_UID, user_uid): Operation not permitted

  matt@box:~$ su -
  Password:
  setgid: Operation not permitted

  Modified nsswitch.conf with 'ldap' after 'compat':

  passwd:         compat ldap
  group:          compat ldap
  shadow:         compat ldap

  matt@box:~$ sudo uname -a
  [sudo] password for matt:
  Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux

  matt@box:~$ su -
  Password:
  root@box:~#

  The same arrangements in nsswitch.conf work as expected in Jaunty and
  earlier releases.

  [Regression Potential]
  This should be minimal as the code change only addresses the duplicating global_init during thread callbacks.

  Lucid Release Note:

  == NSS via LDAP+SSL breaks setuid applications like sudo ==

  Upgrading systems configured to use ldap over ssl as the first service
  in the nss stack (in nsswitch.conf) leads to a broken nss resolution
  for setuid applications after the upgrade to Lucid (for example sudo
  would stop working). There isn't any simple workaround for now. One
  option is to switch to libnss-ldapd in place of libnss-ldap before the
  upgrade. Another one consists in using nscd before the upgrade.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions