[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd

Boian Mihailov 423252 at bugs.launchpad.net
Tue Oct 4 14:56:10 UTC 2011 

Thanks a lot, works like a charm. I wish i could be of any help to
you, saved me a lot of time.

2011/10/4 cdmiller <cdmiller at adams.edu>:
> Just a follow up to #106.  We have been running with the libgcrypt11
> patch from #73 with a couple thousand openldap and AD users using
> Apache2/phpsuexec on Lucid 10.04.2 64 bit for months now with no
> troubles.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/423252
>
> Title:
>  NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2
>  suexec, and atd
>
> Status in Release Notes for Ubuntu:
>  Fix Released
> Status in “eglibc” package in Ubuntu:
>  Invalid
> Status in “libgcrypt11” package in Ubuntu:
>  Confirmed
> Status in “libnss-ldap” package in Ubuntu:
>  Invalid
> Status in “sudo” package in Ubuntu:
>  Invalid
> Status in “eglibc” source package in Lucid:
>  Invalid
> Status in “libgcrypt11” source package in Lucid:
>  Confirmed
> Status in “libnss-ldap” source package in Lucid:
>  Invalid
> Status in “sudo” source package in Lucid:
>  Invalid
> Status in “eglibc” source package in Maverick:
>  Invalid
> Status in “libgcrypt11” source package in Maverick:
>  Confirmed
> Status in “libnss-ldap” source package in Maverick:
>  Confirmed
> Status in “sudo” source package in Maverick:
>  Invalid
> Status in “eglibc” source package in Karmic:
>  Invalid
> Status in “libgcrypt11” source package in Karmic:
>  Won't Fix
> Status in “libnss-ldap” source package in Karmic:
>  Invalid
> Status in “sudo” source package in Karmic:
>  Invalid
> Status in “libgcrypt11” package in Debian:
>  Confirmed
> Status in “sudo” package in Debian:
>  Confirmed
> Status in “sudo” package in Kairos Linux:
>  Confirmed
>
> Bug description:
>  On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd'
>  field to anything with 'ldap' as the first item breaks the ability to
>  become root using 'su' and 'sudo' as anyone but root.
>
>  Default nsswitch.conf:
>
>  passwd:         compat
>  group:          compat
>  shadow:         compat
>
>  matt at box:~$ sudo uname -a
>  [sudo] password for matt:
>  Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux
>
>  matt at box:~$ su -
>  Password:
>  root at box:~#
>
>  Modified nsswitch.conf with 'ldap' before 'compat':
>
>  passwd:         ldap compat
>  group:          ldap compat
>  shadow:         ldap compat
>
>  matt at box:~$ sudo uname -a
>  sudo: setreuid(ROOT_UID, user_uid): Operation not permitted
>
>  matt at box:~$ su -
>  Password:
>  setgid: Operation not permitted
>
>  Modified nsswitch.conf with 'ldap' after 'compat':
>
>  passwd:         compat ldap
>  group:          compat ldap
>  shadow:         compat ldap
>
>  matt at box:~$ sudo uname -a
>  [sudo] password for matt:
>  Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux
>
>  matt at box:~$ su -
>  Password:
>  root at box:~#
>
>  The same arrangements in nsswitch.conf work as expected in Jaunty and
>  earlier releases.
>
>  Lucid Release Note:
>
>  == NSS via LDAP+SSL breaks setuid applications like sudo ==
>
>  Upgrading systems configured to use ldap over ssl as the first service
>  in the nss stack (in nsswitch.conf) leads to a broken nss resolution
>  for setuid applications after the upgrade to Lucid (for example sudo
>  would stop working). There isn't any simple workaround for now. One
>  option is to switch to libnss-ldapd in place of libnss-ldap before the
>  upgrade. Another one consists in using nscd before the upgrade.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions
>

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/423252

Title:
  NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2
  suexec, and atd

Status in Release Notes for Ubuntu:
  Fix Released
Status in “eglibc” package in Ubuntu:
  Invalid
Status in “libgcrypt11” package in Ubuntu:
  Confirmed
Status in “libnss-ldap” package in Ubuntu:
  Invalid
Status in “sudo” package in Ubuntu:
  Invalid
Status in “eglibc” source package in Lucid:
  Invalid
Status in “libgcrypt11” source package in Lucid:
  Confirmed
Status in “libnss-ldap” source package in Lucid:
  Invalid
Status in “sudo” source package in Lucid:
  Invalid
Status in “eglibc” source package in Maverick:
  Invalid
Status in “libgcrypt11” source package in Maverick:
  Confirmed
Status in “libnss-ldap” source package in Maverick:
  Confirmed
Status in “sudo” source package in Maverick:
  Invalid
Status in “eglibc” source package in Karmic:
  Invalid
Status in “libgcrypt11” source package in Karmic:
  Won't Fix
Status in “libnss-ldap” source package in Karmic:
  Invalid
Status in “sudo” source package in Karmic:
  Invalid
Status in “libgcrypt11” package in Debian:
  Confirmed
Status in “sudo” package in Debian:
  Confirmed
Status in “sudo” package in Kairos Linux:
  Confirmed

Bug description:
  On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd'
  field to anything with 'ldap' as the first item breaks the ability to
  become root using 'su' and 'sudo' as anyone but root.

  Default nsswitch.conf:

  passwd:         compat
  group:          compat
  shadow:         compat

  matt at box:~$ sudo uname -a
  [sudo] password for matt:
  Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux

  matt at box:~$ su -
  Password:
  root at box:~#

  Modified nsswitch.conf with 'ldap' before 'compat':

  passwd:         ldap compat
  group:          ldap compat
  shadow:         ldap compat

  matt at box:~$ sudo uname -a
  sudo: setreuid(ROOT_UID, user_uid): Operation not permitted

  matt at box:~$ su -
  Password:
  setgid: Operation not permitted

  Modified nsswitch.conf with 'ldap' after 'compat':

  passwd:         compat ldap
  group:          compat ldap
  shadow:         compat ldap

  matt at box:~$ sudo uname -a
  [sudo] password for matt:
  Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux

  matt at box:~$ su -
  Password:
  root at box:~#

  The same arrangements in nsswitch.conf work as expected in Jaunty and
  earlier releases.

  Lucid Release Note:

  == NSS via LDAP+SSL breaks setuid applications like sudo ==

  Upgrading systems configured to use ldap over ssl as the first service
  in the nss stack (in nsswitch.conf) leads to a broken nss resolution
  for setuid applications after the upgrade to Lucid (for example sudo
  would stop working). There isn't any simple workaround for now. One
  option is to switch to libnss-ldapd in place of libnss-ldap before the
  upgrade. Another one consists in using nscd before the upgrade.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions

More information about the foundations-bugs mailing list