ubuntu-translations-coordinators team mailing list archive
-
ubuntu-translations-coordinators team
-
Mailing list archive
-
Message #09007
[Bug 423252] [NEW] NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
You have been subscribed to a public bug:
SRU Request:
[Impact]
As heavily outlined in the amount of comments in this bug the impact is detrimental to both community and enterprise users alike.
[Development Fix]
Howard Chu released a patch in #73 which was later confirmed in #106 & #108 as a resolution.
[Stable Fix]
Patch from #73 can be applied cleanly to Lucid and new distributions.
[Test Case]
On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd' field to anything with 'ldap' as the first item breaks the ability to become root using 'su' and 'sudo' as anyone but root.
Default nsswitch.conf:
passwd: compat
group: compat
shadow: compat
matt@box:~$ sudo uname -a
[sudo] password for matt:
Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux
matt@box:~$ su -
Password:
root@box:~#
Modified nsswitch.conf with 'ldap' before 'compat':
passwd: ldap compat
group: ldap compat
shadow: ldap compat
matt@box:~$ sudo uname -a
sudo: setreuid(ROOT_UID, user_uid): Operation not permitted
matt@box:~$ su -
Password:
setgid: Operation not permitted
Modified nsswitch.conf with 'ldap' after 'compat':
passwd: compat ldap
group: compat ldap
shadow: compat ldap
matt@box:~$ sudo uname -a
[sudo] password for matt:
Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux
matt@box:~$ su -
Password:
root@box:~#
The same arrangements in nsswitch.conf work as expected in Jaunty and
earlier releases.
[Regression Potential]
This should be minimal as the code change only addresses the duplicating global_init during thread callbacks.
Lucid Release Note:
== NSS via LDAP+SSL breaks setuid applications like sudo ==
Upgrading systems configured to use ldap over ssl as the first service
in the nss stack (in nsswitch.conf) leads to a broken nss resolution for
setuid applications after the upgrade to Lucid (for example sudo would
stop working). There isn't any simple workaround for now. One option is
to switch to libnss-ldapd in place of libnss-ldap before the upgrade.
Another one consists in using nscd before the upgrade.
** Affects: libgcrypt
Importance: Unknown
Status: Fix Released
** Affects: ubuntu-release-notes
Importance: Undecided
Status: Fix Released
** Affects: libgcrypt11 (Ubuntu)
Importance: Medium
Status: Fix Released
** Affects: libgcrypt11 (Ubuntu Lucid)
Importance: Medium
Assignee: Canonical Foundations Team (canonical-foundations)
Status: Fix Released
** Affects: libgcrypt11 (Ubuntu Maverick)
Importance: Medium
Assignee: Canonical Foundations Team (canonical-foundations)
Status: Won't Fix
** Affects: libgcrypt11 (Ubuntu Natty)
Importance: Medium
Status: Won't Fix
** Affects: libgcrypt11 (Ubuntu Oneiric)
Importance: Medium
Status: Won't Fix
** Affects: libgcrypt11 (Ubuntu Precise)
Importance: Medium
Status: Fix Released
** Affects: libgcrypt11 (Ubuntu Karmic)
Importance: Medium
Status: Won't Fix
** Affects: ubuntu-translations
Importance: Undecided
Status: New
** Affects: libgcrypt11 (Debian)
Importance: Unknown
Status: Unknown
** Affects: libnss-ldap (Debian)
Importance: Unknown
Status: Fix Released
** Affects: sudo (Debian)
Importance: Unknown
Status: Fix Released
** Tags: karmic lucid patch precise regression-release verification-done-lucid verification-done-precise
--
NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu Translations Coordinators, which is subscribed to Ubuntu Translations.
