[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

[Andreas Sandberg]

I managed to get a core-dump from a test program (a nice little hack
that debugs the test application and core dumps it when it executes the
setuid syscall) that reproduces the bug. The following stack trace might
be of interest:

#0  __nptl_setxid (cmdp=0x7fff1439ad00) at allocatestack.c:1135
#1  0x00007f41dda052fb in __setuid (uid=<value optimized out>) at ../sysdeps/unix/sysv/linux/setuid.c:26
#2  0x00007f41db005124 in lock_pool (n=<value optimized out>) at secmem.c:296
#3  secmem_init (n=<value optimized out>) at secmem.c:477
#4  0x00007f41db0052da in _gcry_secmem_malloc_internal (size=128) at secmem.c:509
#5  0x00007f41db005368 in _gcry_secmem_malloc (size=128) at secmem.c:544
#6  0x00007f41db00084d in do_malloc (n=1000, flags=1000, mem=0x7fff1439adb8) at global.c:730
#7  0x00007f41db00087c in _gcry_malloc_secure (n=1000) at global.c:769
#8  0x00007f41db0130c0 in md_open (h=0x7fff1439ae28, algo=1, secure=<value optimized out>, hmac=<value optimized out>) at md.c:487
#9  0x00007f41db0131ea in _gcry_md_open (h=0x7fff1439af18, algo=1000, flags=<value optimized out>) at md.c:530
#10 0x00007f41dbd03c0f in wrap_gcry_mac_init (algo=<value optimized out>, ctx=0x3e8) at mac-libgcrypt.c:42
#11 0x00007f41dbcea127 in _gnutls_hmac_init (dig=0x7fff1439af10, algorithm=GNUTLS_MAC_MD5, key=0x10afbc0, keylen=24) at gnutls_hash_int.c:277
#12 0x00007f41dbcfad78 in _gnutls_P_hash (algorithm=<value optimized out>, secret=<value optimized out>, secret_size=<value optimized out>, seed=<value optimized out>, seed_size=<value optimized out>, total_bytes=<value optimized out>, ret=0x7fff1439b170 "\231\376~", <incomplete sequence \316>) at gnutls_state.c:811
#13 0x00007f41dbcfafca in _gnutls_PRF (session=<value optimized out>, secret=<value optimized out>, secret_size=<value optimized out>, label=<value optimized out>, label_size=<value optimized out>, seed=0x7fff1439b570 "K\310\331\346-\364\310*~E%\026\223g\216\323K֜\272^1\270Fn\025\254\307`\235%\rK\310\331\345\267\337\023y\314Tn\262-\277\236S\017\362B\237W\220\017\366H\035\372͟5\204\027\001", seed_size=<value optimized out>, total_bytes=48, ret=0x10b2552) at gnutls_state.c:926
#14 0x00007f41dbce883f in generate_normal_master (session=0x10b2530, keep_premaster=0) at gnutls_kx.c:155
#15 0x00007f41dbcf35bb in _gnutls_connection_state_init (session=0x3e8) at gnutls_constate.c:434
#16 0x00007f41dbce43f8 in _gnutls_send_handshake_final (session=0x10b2530, init=1) at gnutls_handshake.c:2472
#17 0x00007f41dbce45d5 in _gnutls_handshake_common (session=0x10b2530) at gnutls_handshake.c:2700
#18 0x00007f41dbce5c67 in gnutls_handshake (session=0x10b2530) at gnutls_handshake.c:2297
#19 0x00007f41dd3196de in ?? () from /usr/lib/libldap_r-2.4.so.2
#20 0x00007f41dd3184a2 in ?? () from /usr/lib/libldap_r-2.4.so.2
#21 0x00007f41dd318703 in ldap_int_tls_start () from /usr/lib/libldap_r-2.4.so.2
#22 0x00007f41dd5338fc in ?? () from /lib/libnss_ldap.so.2
#23 0x00007f41dd533f29 in ?? () from /lib/libnss_ldap.so.2
#24 0x00007f41dd534832 in ?? () from /lib/libnss_ldap.so.2
#25 0x00007f41dd534bbd in ?? () from /lib/libnss_ldap.so.2
#26 0x00007f41dd5352b7 in _nss_ldap_getpwnam_r () from /lib/libnss_ldap.so.2
#27 0x00007f41dda0345d in __getpwnam_r (name=0x4017d4 "foo", resbuf=0x7f41ddcd8ce0, buffer=0x107f010 "nslcd", buflen=1024, result=<value optimized out>) at ../nss/getXXbyYY_r.c:253
#28 0x00007f41dda02e40 in getpwnam (name=0x4017d4 "foo") at ../nss/getXXbyYY.c:117
#29 0x0000000000401202 in main (argc=1, argv=0x7fff1439c538) at debug.c:175

Stack frame 2 (secmem.c:296 in libgcrypt) is of particular interest. The code looks like this (with uid = getuid()):
  if (uid && ! geteuid ())
    {
      /* check that we really dropped the privs.
       * Note: setuid(0) should always fail */
      if (setuid (uid) || getuid () != geteuid () || !setuid (0))
	log_fatal ("failed to reset uid: %s\n", strerror (errno));
    }

This is clearly not what we want... :(

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.