[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo

Mathias Gug mathiaz at ubuntu.com
Tue Apr 27 18:32:22 BST 2010


** Description changed:

  On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd'
  field to anything with 'ldap' as the first item breaks the ability to
  become root using 'su' and 'sudo' as anyone but root.
  
  Default nsswitch.conf:
  
  passwd:         compat
  group:          compat
  shadow:         compat
  
  matt at box:~$ sudo uname -a
- [sudo] password for matt: 
+ [sudo] password for matt:
  Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux
  
  matt at box:~$ su -
- Password: 
+ Password:
  root at box:~#
  
  Modified nsswitch.conf with 'ldap' before 'compat':
  
  passwd:         ldap compat
  group:          ldap compat
  shadow:         ldap compat
  
  matt at box:~$ sudo uname -a
  sudo: setreuid(ROOT_UID, user_uid): Operation not permitted
  
  matt at box:~$ su -
- Password: 
+ Password:
  setgid: Operation not permitted
  
  Modified nsswitch.conf with 'ldap' after 'compat':
  
  passwd:         compat ldap
  group:          compat ldap
  shadow:         compat ldap
  
  matt at box:~$ sudo uname -a
- [sudo] password for matt: 
+ [sudo] password for matt:
  Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux
  
  matt at box:~$ su -
- Password: 
+ Password:
  root at box:~#
  
  The same arrangements in nsswitch.conf work as expected in Jaunty and
  earlier releases.
+ 
+ Lucid Release Note:
+ 
+ == NSS via LDAP+SSL breaks setuid applications like sudo ==
+ 
+ Upgrading systems configured to use ldap over ssl as the first service
+ in the nss stack (in nsswitch.conf) leads to a broken nss resolution for
+ setuid applications after the upgrade to Lucid (for example sudo would
+ stop working). There isn't any simple workaround for now. One option is
+ to switch to libnss-ldapd in place of libnss-ldap before the upgrade.
+ Another one consists in using nscd before the upgrade.

** Changed in: ubuntu-release-notes
       Status: New => Confirmed

-- 
NSS using LDAP+SSL breaks setuid applications like su and sudo
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.



More information about the Ubuntu-server-bugs mailing list